New Lattice Based Cryptographic Constructions

Oded Regev EECS Department, UC Berkeley, Berkeley, CA 94720. Email: odedr@cs.berkeley.edu. Most of this work was done while the author was at the Institute for Advanced Study, Princeton, NJ. Work supported by the Army Research Office grant DAAD19-03-1-0082 and NSF grant CCR-9987845.
Abstract

We introduce the use of Fourier analysis on lattices as an integral part of a lattice based construction. The tools we develop provide an elegant description of certain Gaussian distributions around lattice points. Our results include two cryptographic constructions which are based on the worst-case hardness of the unique shortest vector problem. The main result is a new public key cryptosystem whose security guarantee is considerably stronger than previous results (O⁒(n1.5)𝑂superscript𝑛1.5O(n^{1.5})italic_O ( italic_n start_POSTSUPERSCRIPT 1.5 end_POSTSUPERSCRIPT ) instead of O⁒(n7)𝑂superscript𝑛7O(n^{7})italic_O ( italic_n start_POSTSUPERSCRIPT 7 end_POSTSUPERSCRIPT )). This provides the first alternative to Ajtai and Dwork’s original 1996 cryptosystem. Our second result is a family of collision resistant hash functions which, apart from improving the security in terms of the unique shortest vector problem, is also the first example of an analysis which is not based on Ajtai’s iterative step. Surprisingly, both results are derived from one theorem which presents two indistinguishable distributions on the segment [0,1)01[0,1)[ 0 , 1 ). It seems that this theorem can have further applications and as an example we mention how it can be used to solve an open problem related to quantum computation.

1 Introduction

Cryptographic constructions based on lattices have attracted considerable interest in recent years. The main reason is that, unlike many other cryptographic constructions, lattice based constructions can be based on the worst-case hardness of a problem. That is, breaking them would imply a solution to any instance of a certain lattice problem. In this paper we will be interested in the unique shortest vector problem (uSVP), a lattice problem which is believed to be hard: we are asked to find the shortest vector in an n𝑛nitalic_n-dimensional lattice with the promise that it is shorter by a factor of ncsuperscript𝑛𝑐n^{c}italic_n start_POSTSUPERSCRIPT italic_c end_POSTSUPERSCRIPT than all other non-parallel vectors. Hence, the problem becomes harder as c𝑐citalic_c decreases. The results in this field can be divided into two types. The first includes public key cryptosystems and the second includes families of collision resistant hash functions.

The only previously known public key cryptosystem based on a worst-case lattice problem is the one due to Ajtai and DworkΒ [2] which appeared in 1996. They presented a public key cryptosystem based on the worst-case hardness of O⁒(n8)𝑂superscript𝑛8O(n^{8})italic_O ( italic_n start_POSTSUPERSCRIPT 8 end_POSTSUPERSCRIPT )-uSVP. Then, in [8], Goldreich, Goldwasser and Halevi showed how to eliminate decryption errors that existed in the original scheme. They also improved the security to O⁒(n7)𝑂superscript𝑛7O(n^{7})italic_O ( italic_n start_POSTSUPERSCRIPT 7 end_POSTSUPERSCRIPT )-uSVP. Although there are other lattice based cryptosystems (see, e.g., [9, 10, 13]), none of them is based on the worst-case hardness of a lattice problem. Our main result is a new public key cryptosystem whose security is based on O⁒(n1.5)𝑂superscript𝑛1.5O(n^{1.5})italic_O ( italic_n start_POSTSUPERSCRIPT 1.5 end_POSTSUPERSCRIPT )-uSVP.

In [1], Ajtai presented a family of one-way hash functions based on the worst-case hardness of several lattice problems. In terms of the uSVP, it was based on the hardness of O⁒(nc)𝑂superscript𝑛𝑐O(n^{c})italic_O ( italic_n start_POSTSUPERSCRIPT italic_c end_POSTSUPERSCRIPT )-uSVP. The constant c𝑐citalic_c was not explicitly specified but later it was noted to be c=19𝑐19c=19italic_c = 19Β [4]. In [7], it was shown that under the same assumptions one can obtain a family of collision resistant hash functions. This is a stronger primitive than a one-way function with many uses in cryptography. Cai and Nerurkar [5] improved the exponent to c=9+ϡ𝑐9italic-Ο΅c=9+\epsilonitalic_c = 9 + italic_Ο΅ and later, by providing an improved analysis, Cai [4] obtained c=4+ϡ𝑐4italic-Ο΅c=4+\epsilonitalic_c = 4 + italic_Ο΅. These papers also showed how to base the security of the hash function on other lattice problems which are potentially harder than uSVP (e.g., GapSVP and GapSIVP). In [15], Micciancio recently constructed a family of hash functions with the best known constant c𝑐citalic_c for several important lattice problems (but not for uSVP). In another paper [14], Micciancio improved the efficiency of the hash function by using cyclic lattices. Roughly speaking, all of these results are based on variations of a method known as Ajtai’s iterative step.

Our contribution

The main contribution of this paper is the introduction of Fourier analysis on lattices as an integral part of a lattice based construction. Fourier analysis was previously used indirectly through transference theorems, i.e., theorems that relate properties of a lattice and its dual (see, e.g.,Β [4]). Our constructions are the first to use Fourier analysis directly.

Our main theorem is a reduction from the O⁒(n1.5)𝑂superscript𝑛1.5O(n^{1.5})italic_O ( italic_n start_POSTSUPERSCRIPT 1.5 end_POSTSUPERSCRIPT )-uSVP to the problem of distinguishing between two types of distributions on the segment [0,1)01[0,1)[ 0 , 1 ). We believe that this theorem will find other uses in the future.

Using the main theorem, we present three results. The main one is a new public key cryptosystem which is based on the hardness of O⁒(n1.5)𝑂superscript𝑛1.5O(n^{1.5})italic_O ( italic_n start_POSTSUPERSCRIPT 1.5 end_POSTSUPERSCRIPT )-uSVP. This is a major improvement to the 1996 cryptosystem by Ajtai and Dwork. Its description is surprising in that it essentially consists only of numbers modulo some large number N𝑁Nitalic_N. Our second result is a family of collision resistant hash functions whose security is based on the O⁒(n1.5)𝑂superscript𝑛1.5O(n^{1.5})italic_O ( italic_n start_POSTSUPERSCRIPT 1.5 end_POSTSUPERSCRIPT )-uSVP. In terms of the uSVP, this improves all the previous results mentioned above. However, previous results were not based only on uSVP and are therefore incomparable with our result. In addition, ours is the first lattice based hash function whose analysis is not based on Ajtai’s iterative step. The hash function that we consider is simple and is known as the modular subset sum function111Previous constructions of hash functions were usually presented as functions on random lattices. However, most of these results can be easily extended to the modular subset sum function. This was already noted in Ajtai’s original paperΒ ([1]).. This function already appeared in previous papers; for example, one of the results in [11] is an average-case to average-case reduction for the function. The third result is related to an open question in quantum computation and will be discussed in SectionΒ 7.

Intuitive overview

In the following we provide an informal overview of the results in this paper. Many of the details are omitted for the sake of clarity.

Main theorem: Our main theorem is a reduction from O⁒(n1.5)𝑂superscript𝑛1.5O(n^{1.5})italic_O ( italic_n start_POSTSUPERSCRIPT 1.5 end_POSTSUPERSCRIPT )-uSVP to the problem of distinguishing between two types of distributions on [0,1)01[0,1)[ 0 , 1 ). One distribution is the uniform distribution Uπ‘ˆUitalic_U while the other Thsubscriptπ‘‡β„ŽT_{h}italic_T start_POSTSUBSCRIPT italic_h end_POSTSUBSCRIPT is concentrated around integer multiples of 1/h1β„Ž1/h1 / italic_h for some unknown large integer h≀2O⁒(n2)β„Žsuperscript2𝑂superscript𝑛2h\leq 2^{O(n^{2})}italic_h ≀ 2 start_POSTSUPERSCRIPT italic_O ( italic_n start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT ) end_POSTSUPERSCRIPT (notice that if we knew hβ„Žhitalic_h we could easily distinguish between the two). The sharpness of the concentration in this β€˜wavy’ distribution depends on the factor of the uSVP problem. For example, O⁒(n1.5)𝑂superscript𝑛1.5O(n^{1.5})italic_O ( italic_n start_POSTSUPERSCRIPT 1.5 end_POSTSUPERSCRIPT )-uSVP translates to a concentration of around 1/n1𝑛1/n1 / italic_n, that is, the difference between two adjacent peaks is roughly n𝑛nitalic_n times the width of a peak (see FigureΒ 1). Notice that the reduction is to a worst-case problem in the sense that one has to distinguish between the uniform distribution and the wavy distribution for all values hβ„Žhitalic_h in a certain range. Nevertheless, the wavy distribution has the property that if one distinguishes it from uniform for some small fraction of hβ„Žhitalic_h then one can also distinguish it from uniform for all values of hβ„Žhitalic_h. This average-case to worst-case property will be implicit in our cryptographic applications. In the following we describe the three steps in the proof of the main theorem.

The first step involves a reduction from the search problem uSVP to a certain decision problem on lattices. Assume that the shortest vector is βˆ‘i=1nai⁒visuperscriptsubscript𝑖1𝑛subscriptπ‘Žπ‘–subscript𝑣𝑖\sum_{i=1}^{n}a_{i}v_{i}βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT where aiβˆˆβ„€subscriptπ‘Žπ‘–β„€a_{i}\in{\mathbb{Z}}italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ∈ blackboard_Z and v1,…,vnsubscript𝑣1…subscript𝑣𝑛v_{1},\ldots,v_{n}italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT is a basis of the lattice. The decision problem asks whether p∣aiconditional𝑝subscriptπ‘Žπ‘–p\mid a_{i}italic_p ∣ italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT where p𝑝pitalic_p is some prime number which we choose to be slightly more than n1.5superscript𝑛1.5n^{1.5}italic_n start_POSTSUPERSCRIPT 1.5 end_POSTSUPERSCRIPT. The reduction is a Cook reduction and the idea is to make the lattice sparser and sparser without losing the shortest vector. At the end, the lattice is so sparse that we can easily find the shortest vector. For example, when p∣aiconditional𝑝subscriptπ‘Žπ‘–p\mid a_{i}italic_p ∣ italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT we can replace visubscript𝑣𝑖v_{i}italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT with pβ‹…vi⋅𝑝subscript𝑣𝑖p\cdot v_{i}italic_p β‹… italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT without losing the shortest vector. The actual proof is slightly more involved as we have to handle cases where p∀ainot-divides𝑝subscriptπ‘Žπ‘–p\nmid a_{i}italic_p ∀ italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT.

The second step is the core of the proof. Here, we reduce the above decision problem to a problem of distinguishing between two n𝑛nitalic_n-dimensional distributions. Namely, one distribution is uniform and the other is a β€˜wavy’ distribution. We begin by developing a few lemmas based on a theorem of Banaszczyk. Essentially, this theorem says that if we choose a β€˜random’ lattice point from the dual L*superscript𝐿L^{*}italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT of a lattice and perturb it by a Gaussian of radius n𝑛\sqrt{n}square-root start_ARG italic_n end_ARG then the distribution obtained can be closely approximated by a function that depends only on points in L𝐿Litalic_L (the primal lattice) that are within distance n𝑛\sqrt{n}square-root start_ARG italic_n end_ARG of the origin. We apply this theorem for two types of lattices L𝐿Litalic_L. The first is a lattice L𝐿Litalic_L where all nonzero vectors are of length more than n𝑛\sqrt{n}square-root start_ARG italic_n end_ARG. Here we get that the distribution around points of L*superscript𝐿L^{*}italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT is determined only by the origin of the primal lattice and is therefore very close to being uniform. The second type is a lattice with one short vector u𝑒uitalic_u of length (say) 1/n1𝑛1/n1 / italic_n and all other non-parallel vectors of length more than n𝑛\sqrt{n}square-root start_ARG italic_n end_ARG. The distribution that we obtain here is almost uniform on nβˆ’1𝑛1n-1italic_n - 1 dimensional hyperplanes orthogonal to u𝑒uitalic_u. In the direction of u𝑒uitalic_u the distribution has peaks of distance n𝑛nitalic_n such that the width of each peak is 1111. The way we use these results is the following. Recall that we are given an n1.5superscript𝑛1.5n^{1.5}italic_n start_POSTSUPERSCRIPT 1.5 end_POSTSUPERSCRIPT-unique lattice and we should decide whether p∣aiconditional𝑝subscriptπ‘Žπ‘–p\mid a_{i}italic_p ∣ italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT. We do this by first scaling the lattice so that the length of the shortest vector is 1/n1𝑛1/n1 / italic_n and therefore all non-parallel vectors are of length more than n1.5/n=nsuperscript𝑛1.5𝑛𝑛n^{1.5}/n=\sqrt{n}italic_n start_POSTSUPERSCRIPT 1.5 end_POSTSUPERSCRIPT / italic_n = square-root start_ARG italic_n end_ARG. We then multiply visubscript𝑣𝑖v_{i}italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT by p𝑝pitalic_p. If p∣aiconditional𝑝subscriptπ‘Žπ‘–p\mid a_{i}italic_p ∣ italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT then the shortest vector remains in the lattice and therefore if we take the distribution in the dual lattice we get a wavy distribution as described above. Otherwise, if p∀ainot-divides𝑝subscriptπ‘Žπ‘–p\nmid a_{i}italic_p ∀ italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT, the shortest vector disappears and since p>n1.5𝑝superscript𝑛1.5p>n^{1.5}italic_p > italic_n start_POSTSUPERSCRIPT 1.5 end_POSTSUPERSCRIPT the resulting lattice has no vectors shorter than n𝑛\sqrt{n}square-root start_ARG italic_n end_ARG. Therefore, the distribution obtained in the dual is very close to uniform.

The third and final step consists of β€˜projecting’ the n𝑛nitalic_n-dimensional distributions described above onto a one-dimensional distribution. NaΓ―vely, one can choose a point according to the n𝑛nitalic_n-dimensional distribution and project it down to a line. However, this would ruin the original distribution. We would like to project down to a line but only from tiny areas around the line. This would guarantee that the original distribution is preserved. This, however, presents a new difficulty: how can one guarantee that a randomly selected point according to the distribution in ℝnsuperscriptℝ𝑛\mathbb{R}^{n}blackboard_R start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT falls close to the line? We solve this by using the fact that the distribution is periodic on the lattice. Hence it is enough to consider the distribution on the fundamental parallelepiped of the lattice. Now we can draw a line that passes through the parallelepiped many times and that is therefore β€˜dense’ in the n𝑛nitalic_n-dimensional space inside the parallelepiped (see FigureΒ 2). Projecting the two n𝑛nitalic_n-dimensional distributions above will produce either the uniform distribution Uπ‘ˆUitalic_U or the wavy distribution Thsubscriptπ‘‡β„ŽT_{h}italic_T start_POSTSUBSCRIPT italic_h end_POSTSUBSCRIPT for some hβ„Žhitalic_h. This completes the description of the main theorem.

Public key cryptosystem: Let N𝑁Nitalic_N be some large integer. The private key consists of a single integer hβ„Žhitalic_h chosen randomly in the range (say) [N,2⁒N)𝑁2𝑁[\sqrt{N},2\sqrt{N})[ square-root start_ARG italic_N end_ARG , 2 square-root start_ARG italic_N end_ARG ). The public key consists of m=O⁒(log⁑N)π‘šπ‘‚π‘m=O(\log N)italic_m = italic_O ( roman_log italic_N ) numbers a1,…,amsubscriptπ‘Ž1…subscriptπ‘Žπ‘ša_{1},\ldots,a_{m}italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT in {0,1,…,Nβˆ’1}01…𝑁1\{0,1,\ldots,N-1\}{ 0 , 1 , … , italic_N - 1 } which are β€˜close’ to integer multiples of N/hπ‘β„ŽN/hitalic_N / italic_h (notice that hβ„Žhitalic_h doesn’t necessarily divide N𝑁Nitalic_N). We also include in the public key an index i0∈[m]subscript𝑖0delimited-[]π‘ši_{0}\in[m]italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT ∈ [ italic_m ] such that ai0subscriptπ‘Žsubscript𝑖0a_{i_{0}}italic_a start_POSTSUBSCRIPT italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT end_POSTSUBSCRIPT is close to an odd multiple of N/hπ‘β„ŽN/hitalic_N / italic_h. We encrypt one bit at a time. An encryption of the bit 0 is the sum of a random subset of {a1,…,am}subscriptπ‘Ž1…subscriptπ‘Žπ‘š\{a_{1},\ldots,a_{m}\}{ italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT } modulo N𝑁Nitalic_N. An encryption of the bit 1 is similar but we add ⌊ai0/2βŒ‹subscriptπ‘Žsubscript𝑖02{\lfloor a_{i_{0}}/2\rfloor}⌊ italic_a start_POSTSUBSCRIPT italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT end_POSTSUBSCRIPT / 2 βŒ‹ to the result. On receiving an encrypted word w𝑀witalic_w we consider its remainder on division by N/hπ‘β„ŽN/hitalic_N / italic_h. If it is small, we decrypt 0 and otherwise we decrypt 1. Notice that since a1,…,amsubscriptπ‘Ž1…subscriptπ‘Žπ‘ša_{1},\ldots,a_{m}italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT are all close to integer multiples of N/hπ‘β„ŽN/hitalic_N / italic_h any encryption of 0 is also close to a multiple of N/hπ‘β„ŽN/hitalic_N / italic_h and the decryption is correct. Similarly, since ⌊ai0/2βŒ‹subscriptπ‘Žsubscript𝑖02{\lfloor a_{i_{0}}/2\rfloor}⌊ italic_a start_POSTSUBSCRIPT italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT end_POSTSUBSCRIPT / 2 βŒ‹ is far from a multiple of N/hπ‘β„ŽN/hitalic_N / italic_h, encryptions of 1111 are also far from multiples of N/hπ‘β„ŽN/hitalic_N / italic_h and the decryption is 1.

The following is a rough description of how we establish the security of the cryptosystem. Assume that there exists a distinguisher π’œπ’œ{\cal A}caligraphic_A that given the public key can distinguish encryptions of 0 from encryptions of 1. In other words, the difference between the acceptance probabilities p0subscript𝑝0p_{0}italic_p start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT on encryptions of 0 and the acceptance probability p1subscript𝑝1p_{1}italic_p start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT on encryptions of 1 is non-negligible. Therefore, if pusubscript𝑝𝑒p_{u}italic_p start_POSTSUBSCRIPT italic_u end_POSTSUBSCRIPT is the acceptance probability on random words w𝑀witalic_w, it must be the case that either |puβˆ’p0|subscript𝑝𝑒subscript𝑝0|p_{u}-p_{0}|| italic_p start_POSTSUBSCRIPT italic_u end_POSTSUBSCRIPT - italic_p start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT | or |puβˆ’p1|subscript𝑝𝑒subscript𝑝1|p_{u}-p_{1}|| italic_p start_POSTSUBSCRIPT italic_u end_POSTSUBSCRIPT - italic_p start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT | is non-negligible. Assume that the former case holds (the latter case is similar). Then we construct a distinguisher between the distributions Uπ‘ˆUitalic_U and Thsubscriptπ‘‡β„ŽT_{h}italic_T start_POSTSUBSCRIPT italic_h end_POSTSUBSCRIPT. Let R𝑅Ritalic_R be the unknown distribution on [0,1)01[0,1)[ 0 , 1 ). We choose mπ‘šmitalic_m values from R𝑅Ritalic_R, multiply them by N𝑁Nitalic_N and round the result. Let a1,…,amsubscriptπ‘Ž1…subscriptπ‘Žπ‘ša_{1},\ldots,a_{m}italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT be the result. We then estimate π’œπ’œ{\cal A}caligraphic_A’s acceptance probability when the public key a1,…,amsubscriptπ‘Ž1…subscriptπ‘Žπ‘ša_{1},\ldots,a_{m}italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT (for simplicity we ignore i0subscript𝑖0i_{0}italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT) is fixed and the word w𝑀witalic_w is chosen randomly as an encryption of 0. This is done by simply calling π’œπ’œ{\cal A}caligraphic_A many times, each time with a new w𝑀witalic_w computed according to the encryption algorithm. We also estimate π’œπ’œ{\cal A}caligraphic_A’s acceptance probability when w𝑀witalic_w is chosen uniformly from {0,1,…,Nβˆ’1}01…𝑁1\{0,1,\ldots,N-1\}{ 0 , 1 , … , italic_N - 1 } and not according to the encryption algorithm. If there is a non-negligible difference between the two estimates, we decide that R𝑅Ritalic_R is Thsubscriptπ‘‡β„ŽT_{h}italic_T start_POSTSUBSCRIPT italic_h end_POSTSUBSCRIPT and otherwise we say that R𝑅Ritalic_R is Uπ‘ˆUitalic_U. We claim that this distinguishes between Uπ‘ˆUitalic_U and Thsubscriptπ‘‡β„ŽT_{h}italic_T start_POSTSUBSCRIPT italic_h end_POSTSUBSCRIPT. If R𝑅Ritalic_R is Uπ‘ˆUitalic_U then a1,…,amsubscriptπ‘Ž1…subscriptπ‘Žπ‘ša_{1},\ldots,a_{m}italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT are uniform in {0,1,…,Nβˆ’1}01…𝑁1\{0,1,\ldots,N-1\}{ 0 , 1 , … , italic_N - 1 }. One can show that this implies that the distribution of encryptions of 0 is very close to the uniform distribution and therefore π’œπ’œ{\cal A}caligraphic_A (as well as any other algorithm) cannot have different acceptance probabilities for the two distributions. Otherwise, R𝑅Ritalic_R is Thsubscriptπ‘‡β„ŽT_{h}italic_T start_POSTSUBSCRIPT italic_h end_POSTSUBSCRIPT and the distribution that we obtain on a1,…,amsubscriptπ‘Ž1…subscriptπ‘Žπ‘ša_{1},\ldots,a_{m}italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT is the same one that is used in the public key algorithm. Therefore, according to our hypothesis, π’œπ’œ{\cal A}caligraphic_A should have a non-negligible difference between the two cases.

A family of collision resistant hash functions: We choose m=O⁒(log⁑N)π‘šπ‘‚π‘m=O(\log N)italic_m = italic_O ( roman_log italic_N ) random numbers a1,…,amsubscriptπ‘Ž1…subscriptπ‘Žπ‘ša_{1},\ldots,a_{m}italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT uniformly from {0,1,…,Nβˆ’1}01…𝑁1\{0,1,\ldots,N-1\}{ 0 , 1 , … , italic_N - 1 } and define the hash function f⁒(b)=βˆ‘i=1mbi⁒ai⁒mod⁒N𝑓𝑏superscriptsubscript𝑖1π‘šsubscript𝑏𝑖subscriptπ‘Žπ‘–mod𝑁f(b)=\sum_{i=1}^{m}b_{i}a_{i}~{}\mathrm{mod}~{}Nitalic_f ( italic_b ) = βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_m end_POSTSUPERSCRIPT italic_b start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT roman_mod italic_N where b∈{0,1}m𝑏superscript01π‘šb\in\{0,1\}^{m}italic_b ∈ { 0 , 1 } start_POSTSUPERSCRIPT italic_m end_POSTSUPERSCRIPT. A collision finding algorithm in this case means an algorithm π’œπ’œ{\cal A}caligraphic_A that given random a1,…,amsubscriptπ‘Ž1…subscriptπ‘Žπ‘ša_{1},\ldots,a_{m}italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT finds with non-negligible probability a nonzero vector b∈{βˆ’1,0,1}m𝑏superscript101π‘šb\in\{-1,0,1\}^{m}italic_b ∈ { - 1 , 0 , 1 } start_POSTSUPERSCRIPT italic_m end_POSTSUPERSCRIPT such that βˆ‘bi⁒ai≑0⁒(mod⁒N)subscript𝑏𝑖subscriptπ‘Žπ‘–0mod𝑁\sum b_{i}a_{i}\equiv 0(\mathrm{mod}~{}N)βˆ‘ italic_b start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ≑ 0 ( roman_mod italic_N ). Using π’œπ’œ{\cal A}caligraphic_A we show how to build a distinguisher between Uπ‘ˆUitalic_U and Thsubscriptπ‘‡β„ŽT_{h}italic_T start_POSTSUBSCRIPT italic_h end_POSTSUBSCRIPT. By trying many values of the form (1+1/p⁒o⁒l⁒y⁒(m))isuperscript11π‘π‘œπ‘™π‘¦π‘šπ‘–(1+1/poly(m))^{i}( 1 + 1 / italic_p italic_o italic_l italic_y ( italic_m ) ) start_POSTSUPERSCRIPT italic_i end_POSTSUPERSCRIPT we can have an estimate h~~β„Ž{\tilde{h}}over~ start_ARG italic_h end_ARG of hβ„Žhitalic_h up to some small 1/p⁒o⁒l⁒y⁒(m)1π‘π‘œπ‘™π‘¦π‘š1/poly(m)1 / italic_p italic_o italic_l italic_y ( italic_m ) error. We would like to use h~~β„Ž{\tilde{h}}over~ start_ARG italic_h end_ARG to check if the distribution is concentrated around multiples of 1h1β„Ž\frac{1}{h}divide start_ARG 1 end_ARG start_ARG italic_h end_ARG. Sampling values from the unknown distribution R𝑅Ritalic_R and reducing modulo 1/h~1~β„Ž1/{\tilde{h}}1 / over~ start_ARG italic_h end_ARG does not help because the difference between i/hπ‘–β„Ži/hitalic_i / italic_h and i/h~𝑖~β„Ži/{\tilde{h}}italic_i / over~ start_ARG italic_h end_ARG is much larger than 1/h~1~β„Ž1/{\tilde{h}}1 / over~ start_ARG italic_h end_ARG for almost all 0≀i<h0π‘–β„Ž0\leq i<h0 ≀ italic_i < italic_h (recall that hβ„Žhitalic_h is roughly N𝑁\sqrt{N}square-root start_ARG italic_N end_ARG which is exponential in mπ‘šmitalic_m). The idea is to use the collision finding algorithm to create from Thsubscriptπ‘‡β„ŽT_{h}italic_T start_POSTSUBSCRIPT italic_h end_POSTSUBSCRIPT a distribution which is also concentrated around the peaks iβ‹…1h⋅𝑖1β„Ži\cdot\frac{1}{h}italic_i β‹… divide start_ARG 1 end_ARG start_ARG italic_h end_ARG but only for i≀mπ‘–π‘ši\leq mitalic_i ≀ italic_m.

We sample mπ‘šmitalic_m values x1,…,xmsubscriptπ‘₯1…subscriptπ‘₯π‘šx_{1},\ldots,x_{m}italic_x start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_x start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT from the unknown distribution R𝑅Ritalic_R. We add small perturbations y1,…,ymsubscript𝑦1…subscriptπ‘¦π‘šy_{1},\ldots,y_{m}italic_y start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_y start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT chosen uniformly in [0,1/h~)01~β„Ž[0,1/{\tilde{h}})[ 0 , 1 / over~ start_ARG italic_h end_ARG ) to each x1,…,xmsubscriptπ‘₯1…subscriptπ‘₯π‘šx_{1},\ldots,x_{m}italic_x start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_x start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT respectively. We denote the result by z1,…,zmsubscript𝑧1…subscriptπ‘§π‘šz_{1},\ldots,z_{m}italic_z start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_z start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT. Now we call π’œπ’œ{\cal A}caligraphic_A with ⌊Nβ‹…z1βŒ‹,…,⌊Nβ‹…zmβŒ‹β‹…π‘subscript𝑧1…⋅𝑁subscriptπ‘§π‘š{\lfloor N\cdot z_{1}\rfloor},\ldots,{\lfloor N\cdot z_{m}\rfloor}⌊ italic_N β‹… italic_z start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT βŒ‹ , … , ⌊ italic_N β‹… italic_z start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT βŒ‹ and we get a subset S𝑆Sitalic_S such that βˆ‘i∈Szi⁒mod⁒1subscript𝑖𝑆subscript𝑧𝑖mod1\sum_{i\in S}z_{i}~{}\mathrm{mod}~{}1βˆ‘ start_POSTSUBSCRIPT italic_i ∈ italic_S end_POSTSUBSCRIPT italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT roman_mod 1 is very close to zero. For simplicity assume that it is exactly zero. We then check if βˆ‘i∈Sxi⁒mod⁒1=βˆ’βˆ‘i∈Syi⁒mod⁒1subscript𝑖𝑆subscriptπ‘₯𝑖mod1subscript𝑖𝑆subscript𝑦𝑖mod1\sum_{i\in S}x_{i}~{}\mathrm{mod}~{}1=-\sum_{i\in S}y_{i}~{}\mathrm{mod}~{}1βˆ‘ start_POSTSUBSCRIPT italic_i ∈ italic_S end_POSTSUBSCRIPT italic_x start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT roman_mod 1 = - βˆ‘ start_POSTSUBSCRIPT italic_i ∈ italic_S end_POSTSUBSCRIPT italic_y start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT roman_mod 1 is close to an integer multiple of 1/h~1~β„Ž1/{\tilde{h}}1 / over~ start_ARG italic_h end_ARG. If R𝑅Ritalic_R is the uniform distribution on [0,1)01[0,1)[ 0 , 1 ) then conditioned on any values of z1,…,zmsubscript𝑧1…subscriptπ‘§π‘šz_{1},\ldots,z_{m}italic_z start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_z start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT the distribution of y1,…,ymsubscript𝑦1…subscriptπ‘¦π‘šy_{1},\ldots,y_{m}italic_y start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_y start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT is still uniform in [0,1/h~)01~β„Ž[0,1/{\tilde{h}})[ 0 , 1 / over~ start_ARG italic_h end_ARG ) and hence βˆ‘i∈Syisubscript𝑖𝑆subscript𝑦𝑖\sum_{i\in S}y_{i}βˆ‘ start_POSTSUBSCRIPT italic_i ∈ italic_S end_POSTSUBSCRIPT italic_y start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT is not close to an integer multiple of 1/h~1~β„Ž1/{\tilde{h}}1 / over~ start_ARG italic_h end_ARG. If R𝑅Ritalic_R is Thsubscriptπ‘‡β„ŽT_{h}italic_T start_POSTSUBSCRIPT italic_h end_POSTSUBSCRIPT then conditioned on any values of z1,…,zmsubscript𝑧1…subscriptπ‘§π‘šz_{1},\ldots,z_{m}italic_z start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_z start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT, the xisubscriptπ‘₯𝑖x_{i}italic_x start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT’s are distributed around one or two peaks of Thsubscriptπ‘‡β„ŽT_{h}italic_T start_POSTSUBSCRIPT italic_h end_POSTSUBSCRIPT. Therefore, βˆ‘i∈Sxi⁒mod⁒1subscript𝑖𝑆subscriptπ‘₯𝑖mod1\sum_{i\in S}x_{i}~{}\mathrm{mod}~{}1βˆ‘ start_POSTSUBSCRIPT italic_i ∈ italic_S end_POSTSUBSCRIPT italic_x start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT roman_mod 1 is close to a multiple of 1h1β„Ž\frac{1}{h}divide start_ARG 1 end_ARG start_ARG italic_h end_ARG. Moreover, since the yisubscript𝑦𝑖y_{i}italic_y start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT’s are at most 1/h~1~β„Ž1/{\tilde{h}}1 / over~ start_ARG italic_h end_ARG, their sum is at most m/h~π‘š~β„Žm/{\tilde{h}}italic_m / over~ start_ARG italic_h end_ARG. Since the estimate h~~β„Ž{\tilde{h}}over~ start_ARG italic_h end_ARG satisfies that for 1≀i≀m1π‘–π‘š1\leq i\leq m1 ≀ italic_i ≀ italic_m, i/hπ‘–β„Ži/hitalic_i / italic_h is very close to i/h~𝑖~β„Ži/{\tilde{h}}italic_i / over~ start_ARG italic_h end_ARG, the distinguisher can reduce βˆ‘i∈Sxisubscript𝑖𝑆subscriptπ‘₯𝑖\sum_{i\in S}x_{i}βˆ‘ start_POSTSUBSCRIPT italic_i ∈ italic_S end_POSTSUBSCRIPT italic_x start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT modulo 1/h~1~β„Ž1/{\tilde{h}}1 / over~ start_ARG italic_h end_ARG and see that it is close to a multiple of 1/h~1~β„Ž1/{\tilde{h}}1 / over~ start_ARG italic_h end_ARG, as required.

One last issue that we have to address is that π’œπ’œ{\cal A}caligraphic_A might not find collisions on inputs of the form ⌊Nβ‹…z1βŒ‹,…,⌊Nβ‹…zmβŒ‹β‹…π‘subscript𝑧1…⋅𝑁subscriptπ‘§π‘š{\lfloor N\cdot z_{1}\rfloor},\ldots,{\lfloor N\cdot z_{m}\rfloor}⌊ italic_N β‹… italic_z start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT βŒ‹ , … , ⌊ italic_N β‹… italic_z start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT βŒ‹ when R𝑅Ritalic_R is not the uniform distribution. This is because our assumption was that π’œπ’œ{\cal A}caligraphic_A finds collisions on inputs chosen uniformly. But if π’œπ’œ{\cal A}caligraphic_A does not find collisions we know that R𝑅Ritalic_R has to be Thsubscriptπ‘‡β„ŽT_{h}italic_T start_POSTSUBSCRIPT italic_h end_POSTSUBSCRIPT and hence we can still distinguish between Uπ‘ˆUitalic_U and Thsubscriptπ‘‡β„ŽT_{h}italic_T start_POSTSUBSCRIPT italic_h end_POSTSUBSCRIPT.

Outline

In SectionΒ 2 we list several definitions and some properties of lattices that will be needed in this paper (for an introduction to lattices see [16]). After defining several distributions in SectionΒ 2.1 we present the two cryptographic constructions in SectionΒ 3. The main theorem is developed in Section 4. The analysis of the public key cryptosystem is in SectionΒ 5 and that of the hash function is in SectionΒ 6. In SectionΒ 7 we present a solution to an open problem related to quantum computation. Several technical claims appear in AppendixΒ A.

2 Preliminaries

A lattice in ℝnsuperscriptℝ𝑛\mathbb{R}^{n}blackboard_R start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT is defined as the set of all integer combinations of n𝑛nitalic_n linearly independent vectors. This set of vectors is known as a basis of the lattice and is not unique. Given a basis (v1,…,vn)subscript𝑣1…subscript𝑣𝑛(v_{1},\ldots,v_{n})( italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT ) of a lattice L𝐿Litalic_L, the fundamental parallelepiped is defined as

𝒫⁒(v1,…,vn)={βˆ‘i=1nxi⁒vi|xi∈[0,1)}.𝒫subscript𝑣1…subscript𝑣𝑛conditional-setsuperscriptsubscript𝑖1𝑛subscriptπ‘₯𝑖subscript𝑣𝑖subscriptπ‘₯𝑖01{\cal P}(v_{1},\ldots,v_{n})=\{\sum_{i=1}^{n}x_{i}v_{i}~{}|~{}x_{i}\in[0,1)\}.caligraphic_P ( italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT ) = { βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT italic_x start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT | italic_x start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ∈ [ 0 , 1 ) } .

When the basis is clear from the context we will use the notation 𝒫⁒(L)𝒫𝐿{\cal P}(L)caligraphic_P ( italic_L ) instead of 𝒫⁒(v1,…,vn)𝒫subscript𝑣1…subscript𝑣𝑛{\cal P}(v_{1},\ldots,v_{n})caligraphic_P ( italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT ). Note that a lattice has a different fundamental parallelepiped for each possible basis. We denote by d⁒(L)𝑑𝐿d(L)italic_d ( italic_L ) the volume of the fundamental parallelepiped of L𝐿Litalic_L or equivalently, the determinant of the matrix B𝐡Bitalic_B whose columns are the basis vectors of the lattice. The point xβˆˆβ„nπ‘₯superscriptℝ𝑛x\in\mathbb{R}^{n}italic_x ∈ blackboard_R start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT reduced modulo the parallelepiped 𝒫⁒(v1,…,vn)𝒫subscript𝑣1…subscript𝑣𝑛{\cal P}(v_{1},\ldots,v_{n})caligraphic_P ( italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT ) is the unique point yβˆˆπ’«β’(v1,…,vn)𝑦𝒫subscript𝑣1…subscript𝑣𝑛y\in{\cal P}(v_{1},\ldots,v_{n})italic_y ∈ caligraphic_P ( italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT ) such that yβˆ’x𝑦π‘₯y-xitalic_y - italic_x is an integer combination of v1,…,vnsubscript𝑣1…subscript𝑣𝑛v_{1},\ldots,v_{n}italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT (see, e.g., [13]). The dual of a lattice L𝐿Litalic_L in ℝnsuperscriptℝ𝑛\mathbb{R}^{n}blackboard_R start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT, denoted L*superscript𝐿L^{*}italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT, is the set of all vectors yβˆˆβ„n𝑦superscriptℝ𝑛y\in\mathbb{R}^{n}italic_y ∈ blackboard_R start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT such that ⟨x,yβŸ©βˆˆβ„€π‘₯𝑦℀{\langle{x,y}\rangle}\in{\mathbb{Z}}⟨ italic_x , italic_y ⟩ ∈ blackboard_Z for all vectors x∈Lπ‘₯𝐿x\in Litalic_x ∈ italic_L. Similarly, given a basis (v1,…,vn)subscript𝑣1…subscript𝑣𝑛(v_{1},\ldots,v_{n})( italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT ) of lattice, we define the dual basis as the set of vectors (v1*,…,vn*)superscriptsubscript𝑣1…superscriptsubscript𝑣𝑛(v_{1}^{*},\ldots,v_{n}^{*})( italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT ) such that ⟨vi,vj*⟩=Ξ΄i⁒jsubscript𝑣𝑖superscriptsubscript𝑣𝑗subscript𝛿𝑖𝑗{\langle{v_{i},v_{j}^{*}}\rangle}=\delta_{ij}⟨ italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , italic_v start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT ⟩ = italic_Ξ΄ start_POSTSUBSCRIPT italic_i italic_j end_POSTSUBSCRIPT for all i,j∈[n]𝑖𝑗delimited-[]𝑛i,j\in[n]italic_i , italic_j ∈ [ italic_n ]. Note that if B=(v1,…,vn)𝐡subscript𝑣1…subscript𝑣𝑛B=(v_{1},\ldots,v_{n})italic_B = ( italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT ) is the nΓ—n𝑛𝑛n\times nitalic_n Γ— italic_n matrix whose columns are the basis vectors then (BT)βˆ’1superscriptsuperscript𝐡𝑇1(B^{T})^{-1}( italic_B start_POSTSUPERSCRIPT italic_T end_POSTSUPERSCRIPT ) start_POSTSUPERSCRIPT - 1 end_POSTSUPERSCRIPT contains the dual basis as its columns. From this it follows that d⁒(L*)=1/d⁒(L)𝑑superscript𝐿1𝑑𝐿d(L^{*})=1/d(L)italic_d ( italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT ) = 1 / italic_d ( italic_L ).

We say that a lattice is unique if its shortest vector is strictly shorter than all other non-parallel vectors. Moreover, a lattice is f⁒(n)𝑓𝑛f(n)italic_f ( italic_n )-unique if the shortest vector is shorter by a factor of at least f⁒(n)𝑓𝑛f(n)italic_f ( italic_n ) from all non-parallel vectors. In the shortest vector problem we are interested in finding the shortest vector in a lattice. In this paper we will be interested in the f⁒(n)𝑓𝑛f(n)italic_f ( italic_n )-unique shortest vector problem (f⁒(n)𝑓𝑛f(n)italic_f ( italic_n )-uSVP) where in addition, we are promised that the lattice is f⁒(n)𝑓𝑛f(n)italic_f ( italic_n )-unique. Let λ⁒(L)πœ†πΏ\lambda(L)italic_Ξ» ( italic_L ) denote the length of the shortest nonzero vector in the lattice L𝐿Litalic_L. We also denote the shortest vector (or one of the shortest vectors) by τ⁒(L)𝜏𝐿\tau(L)italic_Ο„ ( italic_L ). Most of the lattices that appear is this paper are unique lattices and in these cases τ⁒(L)𝜏𝐿\tau(L)italic_Ο„ ( italic_L ) is unique up to sign.

One particularly useful type of basis is an LLL reduced basis. Such a basis can be found in polynomial timeΒ [12]. Hence, we will often assume without loss of generality that lattices are given by an LLL reduced basis. The properties of LLL reduced bases that we use are summarized in ClaimΒ A.8.

We define a negligible amount as an amount which is asymptotically smaller than nβˆ’csuperscript𝑛𝑐n^{-c}italic_n start_POSTSUPERSCRIPT - italic_c end_POSTSUPERSCRIPT for any constant c>0𝑐0c>0italic_c > 0. The parameter n𝑛nitalic_n will indicate the input size. Similarly, a non-negligible amount is one which is at least nβˆ’csuperscript𝑛𝑐n^{-c}italic_n start_POSTSUPERSCRIPT - italic_c end_POSTSUPERSCRIPT for some c>0𝑐0c>0italic_c > 0. Finally, exponentially small means an expression that is at most 2βˆ’Ξ©β’(n)superscript2Ω𝑛2^{-\Omega(n)}2 start_POSTSUPERSCRIPT - roman_Ξ© ( italic_n ) end_POSTSUPERSCRIPT. We say that an algorithm π’œπ’œ{\cal A}caligraphic_A with oracle access is a distinguisher between two distributions if its acceptance probability when the oracle outputs samples of the first distribution and its acceptance probability when the oracle outputs samples of the second distribution differ by a non-negligible amount. Note that the notion of acceptance is used for convenience. In addition, an algorithm π’œπ’œ{\cal A}caligraphic_A is said to distinguish between the distribution T𝑇Titalic_T and the set of distribution 𝒯𝒯{\cal T}caligraphic_T if for any distribution Tβ€²βˆˆπ’―superscript𝑇′𝒯T^{\prime}\in{\cal T}italic_T start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT ∈ caligraphic_T, π’œπ’œ{\cal A}caligraphic_A distinguishes between T𝑇Titalic_T and Tβ€²superscript𝑇′T^{\prime}italic_T start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT.

For two continuous random variables X𝑋Xitalic_X and Yπ‘ŒYitalic_Y having values in [0,1)01[0,1)[ 0 , 1 ) with density functions T1subscript𝑇1T_{1}italic_T start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT and T2subscript𝑇2T_{2}italic_T start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT respectively we define their statistical difference as

Δ⁒(X,Y)=12⁒∫01|T1⁒(r)βˆ’T2⁒(r)|⁒𝑑r.Ξ”π‘‹π‘Œ12superscriptsubscript01subscript𝑇1π‘Ÿsubscript𝑇2π‘Ÿdifferential-dπ‘Ÿ\Delta(X,Y)=\frac{1}{2}\int_{0}^{1}|T_{1}(r)-T_{2}(r)|dr.roman_Ξ” ( italic_X , italic_Y ) = divide start_ARG 1 end_ARG start_ARG 2 end_ARG ∫ start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT 1 end_POSTSUPERSCRIPT | italic_T start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT ( italic_r ) - italic_T start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT ( italic_r ) | italic_d italic_r .

A similar definition holds for discrete random variables. One important fact that we use is that the statistical distance cannot increase by applying a (possibly randomized) function f𝑓fitalic_f, i.e.,

Δ⁒(f⁒(X),f⁒(Y))≀Δ⁒(X,Y),Ξ”π‘“π‘‹π‘“π‘ŒΞ”π‘‹π‘Œ\Delta(f(X),f(Y))\leq\Delta(X,Y),roman_Ξ” ( italic_f ( italic_X ) , italic_f ( italic_Y ) ) ≀ roman_Ξ” ( italic_X , italic_Y ) , (1)

see, e.g., [16]. In particular, this implies that the acceptance probability of any algorithm on inputs from X𝑋Xitalic_X differs from its acceptance probability on inputs from Yπ‘ŒYitalic_Y by at most Δ⁒(X,Y)Ξ”π‘‹π‘Œ\Delta(X,Y)roman_Ξ” ( italic_X , italic_Y ).

The set {1,2,…,n}12…𝑛\{1,2,\ldots,n\}{ 1 , 2 , … , italic_n } is denoted by [n]delimited-[]𝑛[n][ italic_n ]. All logarithms are of base 2 unless otherwise specified. We use Ξ΄i⁒jsubscript𝛿𝑖𝑗\delta_{ij}italic_Ξ΄ start_POSTSUBSCRIPT italic_i italic_j end_POSTSUBSCRIPT to denote the Kronecker delta, i.e., 1 if i=j𝑖𝑗i=jitalic_i = italic_j and 0 otherwise. We use c~~𝑐{\tilde{c}}over~ start_ARG italic_c end_ARG to denote an unspecified constant. That is, whenever c~~𝑐{\tilde{c}}over~ start_ARG italic_c end_ARG appears we can replace it with some universal constant. For example, the expression c~+7=c~~𝑐7~𝑐{\tilde{c}}+7={\tilde{c}}over~ start_ARG italic_c end_ARG + 7 = over~ start_ARG italic_c end_ARG is true because we can substitute 1111 and 8888 for the constants. Other constants will be denoted by c𝑐citalic_c with a letter as the subscript, e.g., c𝗁subscript𝑐𝗁{c_{\sf{h}}}italic_c start_POSTSUBSCRIPT sansserif_h end_POSTSUBSCRIPT.

For two real numbers x,y>0π‘₯𝑦0x,y>0italic_x , italic_y > 0 we define x⁒mod⁒yπ‘₯mod𝑦x~{}\mathrm{mod}~{}yitalic_x roman_mod italic_y as xβˆ’βŒŠx/yβŒ‹β’yπ‘₯π‘₯𝑦𝑦x-{\lfloor x/y\rfloor}yitalic_x - ⌊ italic_x / italic_y βŒ‹ italic_y. For xβˆˆβ„π‘₯ℝx\in\mathbb{R}italic_x ∈ blackboard_R we define ⌊xβŒ‰delimited-βŒŠβŒ‰π‘₯{\lfloor x\rceil}⌊ italic_x βŒ‰ as the integer nearest to xπ‘₯xitalic_x or, in case two such integers exist, the smaller of the two. We also use the notation frc(x):=|xβˆ’βŒŠxβŒ‰|\mathrm{frc}(x):={\left|{x-{\lfloor x\rceil}}\right|}roman_frc ( italic_x ) := | italic_x - ⌊ italic_x βŒ‰ |, i.e., the distance of a real xπ‘₯xitalic_x to the nearest integer. Notice that for all x,yβˆˆβ„π‘₯𝑦ℝx,y\in\mathbb{R}italic_x , italic_y ∈ blackboard_R, 0≀frc⁒(x)≀120frcπ‘₯120\leq\mathrm{frc}(x)\leq\frac{1}{2}0 ≀ roman_frc ( italic_x ) ≀ divide start_ARG 1 end_ARG start_ARG 2 end_ARG, frc⁒(x)≀|x|frcπ‘₯π‘₯\mathrm{frc}(x)\leq{\left|{x}\right|}roman_frc ( italic_x ) ≀ | italic_x | and frc⁒(x+y)≀frc⁒(x)+frc⁒(y)frcπ‘₯𝑦frcπ‘₯frc𝑦\mathrm{frc}(x+y)\leq\mathrm{frc}(x)+\mathrm{frc}(y)roman_frc ( italic_x + italic_y ) ≀ roman_frc ( italic_x ) + roman_frc ( italic_y ).

Recall that the normal distribution with mean 0 and variance Οƒ2superscript𝜎2\sigma^{2}italic_Οƒ start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT is the distribution on ℝℝ\mathbb{R}blackboard_R given by the density function 12⁒π⋅σ⁒eβˆ’12⁒(xΟƒ)21β‹…2πœ‹πœŽsuperscript𝑒12superscriptπ‘₯𝜎2\frac{1}{\sqrt{2\pi}\cdot\sigma}e^{-\frac{1}{2}(\frac{x}{\sigma})^{2}}divide start_ARG 1 end_ARG start_ARG square-root start_ARG 2 italic_Ο€ end_ARG β‹… italic_Οƒ end_ARG italic_e start_POSTSUPERSCRIPT - divide start_ARG 1 end_ARG start_ARG 2 end_ARG ( divide start_ARG italic_x end_ARG start_ARG italic_Οƒ end_ARG ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT. Also recall that the sum of two normal variables with mean 0 and variances Οƒ12superscriptsubscript𝜎12\sigma_{1}^{2}italic_Οƒ start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT and Οƒ22superscriptsubscript𝜎22\sigma_{2}^{2}italic_Οƒ start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT is a normal variable with mean 0 and variance Οƒ12+Οƒ22superscriptsubscript𝜎12superscriptsubscript𝜎22\sigma_{1}^{2}+\sigma_{2}^{2}italic_Οƒ start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT + italic_Οƒ start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT. A simple tail bound on the normal distribution appears in ClaimΒ A.1. The Gaussian distribution is a distribution on ℝnsuperscriptℝ𝑛\mathbb{R}^{n}blackboard_R start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT obtained by taking n𝑛nitalic_n independent identically distributed normal random variables as the coordinates. We define the standard Gaussian distribution as the distribution obtained when each of the normal random variables has standard deviation 1/2⁒π12πœ‹1/\sqrt{2\pi}1 / square-root start_ARG 2 italic_Ο€ end_ARG. In other words, a standard Gaussian distribution is given by the density function eβˆ’Ο€β’β€–xβ€–2superscriptπ‘’πœ‹superscriptnormπ‘₯2e^{-\pi\|x\|^{2}}italic_e start_POSTSUPERSCRIPT - italic_Ο€ βˆ₯ italic_x βˆ₯ start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT on ℝnsuperscriptℝ𝑛\mathbb{R}^{n}blackboard_R start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT.

For clarity, we present some of our reductions in a model which allows operations on real numbers. It is possible to modify them in a straightforward way so that they operate in a model that approximates real numbers up to an error of 2βˆ’ncsuperscript2superscript𝑛𝑐2^{-n^{c}}2 start_POSTSUPERSCRIPT - italic_n start_POSTSUPERSCRIPT italic_c end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT for arbitrary large constant c𝑐citalic_c in time polynomial in n𝑛nitalic_n. Therefore, if we say that two continuous distributions on [0,1)01[0,1)[ 0 , 1 ) are indistinguishable (in the real model) then for any c>0𝑐0c>0italic_c > 0 discretizing the distributions up to error 2βˆ’ncsuperscript2superscript𝑛𝑐2^{-n^{c}}2 start_POSTSUPERSCRIPT - italic_n start_POSTSUPERSCRIPT italic_c end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT for any c𝑐citalic_c yields two indistinguishable distributions.

2.1 Several Distributions

We define several useful distributions on the segment [0,1)01[0,1)[ 0 , 1 ). The distribution Uπ‘ˆUitalic_U is simply the uniform distribution with the density function U⁒(r)=1π‘ˆπ‘Ÿ1U(r)=1italic_U ( italic_r ) = 1. For Ξ²βˆˆβ„+𝛽superscriptℝ\beta\in\mathbb{R}^{+}italic_Ξ² ∈ blackboard_R start_POSTSUPERSCRIPT + end_POSTSUPERSCRIPT the distribution QΞ²subscript𝑄𝛽Q_{\beta}italic_Q start_POSTSUBSCRIPT italic_Ξ² end_POSTSUBSCRIPT is a normal distribution with mean 00 and variance Ξ²2⁒π𝛽2πœ‹\frac{\beta}{2\pi}divide start_ARG italic_Ξ² end_ARG start_ARG 2 italic_Ο€ end_ARG reduced modulo 1111 (i.e., a periodization of the normal distribution):

Qβ⁒(r)=βˆ‘k=βˆ’βˆžβˆž1β⁒eβˆ’Ο€Ξ²β’(rβˆ’k)2.subscriptπ‘„π›½π‘Ÿsuperscriptsubscriptπ‘˜1𝛽superscriptπ‘’πœ‹π›½superscriptπ‘Ÿπ‘˜2Q_{\beta}(r)=\sum_{k=-\infty}^{\infty}\frac{1}{\sqrt{\beta}}e^{-\frac{\pi}{\beta}(r-k)^{2}}.italic_Q start_POSTSUBSCRIPT italic_Ξ² end_POSTSUBSCRIPT ( italic_r ) = βˆ‘ start_POSTSUBSCRIPT italic_k = - ∞ end_POSTSUBSCRIPT start_POSTSUPERSCRIPT ∞ end_POSTSUPERSCRIPT divide start_ARG 1 end_ARG start_ARG square-root start_ARG italic_Ξ² end_ARG end_ARG italic_e start_POSTSUPERSCRIPT - divide start_ARG italic_Ο€ end_ARG start_ARG italic_Ξ² end_ARG ( italic_r - italic_k ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT .

Clearly, one can efficiently sample from QΞ²subscript𝑄𝛽Q_{\beta}italic_Q start_POSTSUBSCRIPT italic_Ξ² end_POSTSUBSCRIPT by sampling a normal variable and reducing the result modulo 1. Another distribution is Th,Ξ²subscriptπ‘‡β„Žπ›½T_{h,\beta}italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT where hβˆˆβ„•β„Žβ„•h\in\mathbb{N}italic_h ∈ blackboard_N and Ξ²βˆˆβ„+𝛽superscriptℝ\beta\in\mathbb{R}^{+}italic_Ξ² ∈ blackboard_R start_POSTSUPERSCRIPT + end_POSTSUPERSCRIPT (see FigureΒ 1). Its density function is defined as

Th,β⁒(r)=Qβ⁒(r⁒h⁒mod⁒1)=βˆ‘k=βˆ’βˆžβˆž1β⁒eβˆ’Ο€Ξ²β’(r⁒hβˆ’k)2.subscriptπ‘‡β„Žπ›½π‘Ÿsubscriptπ‘„π›½π‘Ÿβ„Žmod1superscriptsubscriptπ‘˜1𝛽superscriptπ‘’πœ‹π›½superscriptπ‘Ÿβ„Žπ‘˜2T_{h,\beta}(r)=Q_{\beta}(rh~{}\mathrm{mod}~{}1)=\sum_{k=-\infty}^{\infty}\frac{1}{\sqrt{\beta}}e^{-\frac{\pi}{\beta}(rh-k)^{2}}.italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT ( italic_r ) = italic_Q start_POSTSUBSCRIPT italic_Ξ² end_POSTSUBSCRIPT ( italic_r italic_h roman_mod 1 ) = βˆ‘ start_POSTSUBSCRIPT italic_k = - ∞ end_POSTSUBSCRIPT start_POSTSUPERSCRIPT ∞ end_POSTSUPERSCRIPT divide start_ARG 1 end_ARG start_ARG square-root start_ARG italic_Ξ² end_ARG end_ARG italic_e start_POSTSUPERSCRIPT - divide start_ARG italic_Ο€ end_ARG start_ARG italic_Ξ² end_ARG ( italic_r italic_h - italic_k ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT .

By adding a normalization factor we can extend the definition of Th,Ξ²subscriptπ‘‡β„Žπ›½T_{h,\beta}italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT to non-integer hβ„Žhitalic_h. So in general,

Th,β⁒(r)=1∫01Qβ⁒(x⁒h⁒mod⁒1)⁒𝑑x⁒Qβ⁒(r⁒h⁒mod⁒1).subscriptπ‘‡β„Žπ›½π‘Ÿ1superscriptsubscript01subscript𝑄𝛽π‘₯β„Žmod1differential-dπ‘₯subscriptπ‘„π›½π‘Ÿβ„Žmod1T_{h,\beta}(r)=\frac{1}{\int_{0}^{1}Q_{\beta}(xh~{}\mathrm{mod}~{}1)dx}Q_{\beta}(rh~{}\mathrm{mod}~{}1).italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT ( italic_r ) = divide start_ARG 1 end_ARG start_ARG ∫ start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT 1 end_POSTSUPERSCRIPT italic_Q start_POSTSUBSCRIPT italic_Ξ² end_POSTSUBSCRIPT ( italic_x italic_h roman_mod 1 ) italic_d italic_x end_ARG italic_Q start_POSTSUBSCRIPT italic_Ξ² end_POSTSUBSCRIPT ( italic_r italic_h roman_mod 1 ) .

For a real h>0β„Ž0h>0italic_h > 0, choosing a value z∈[0,1)𝑧01z\in[0,1)italic_z ∈ [ 0 , 1 ) according to Th,Ξ²subscriptπ‘‡β„Žπ›½T_{h,\beta}italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT can be done as follows. First choose a value x∈{0,1,…,⌈hβŒ‰βˆ’1}π‘₯01β€¦β„Ž1x\in\{0,1,\ldots,{\lceil h\rceil}-1\}italic_x ∈ { 0 , 1 , … , ⌈ italic_h βŒ‰ - 1 } and then choose a value y𝑦yitalic_y according to QΞ²subscript𝑄𝛽Q_{\beta}italic_Q start_POSTSUBSCRIPT italic_Ξ² end_POSTSUBSCRIPT. If x+yh<1π‘₯π‘¦β„Ž1\frac{x+y}{h}<1divide start_ARG italic_x + italic_y end_ARG start_ARG italic_h end_ARG < 1 then return it as the result. Otherwise, repeat the process again. It is easy to see that the distribution obtained is indeed Th,Ξ²subscriptπ‘‡β„Žπ›½T_{h,\beta}italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT and that the process is efficient for (say) hβ‰₯1β„Ž1h\geq 1italic_h β‰₯ 1.

Refer to captionRefer to captionRefer to captionRefer to captionRefer to captionRefer to caption\begin{array}[]{c@{\hspace{3mm}}c@{\hspace{3mm}}c}\epsfbox{wavy1.eps}\hfil\hskip 8.53581pt&\epsfbox{wavy2.eps}\hfil\hskip 8.53581pt&\epsfbox{wavy3.eps}\end{array}start_ARRAY start_ROW start_CELL end_CELL start_CELL end_CELL start_CELL end_CELL end_ROW end_ARRAY

Figure 1: T4,0.05subscript𝑇40.05T_{4,0.05}italic_T start_POSTSUBSCRIPT 4 , 0.05 end_POSTSUBSCRIPT, T7,0.05subscript𝑇70.05T_{7,0.05}italic_T start_POSTSUBSCRIPT 7 , 0.05 end_POSTSUBSCRIPT and T4,0.02subscript𝑇40.02T_{4,0.02}italic_T start_POSTSUBSCRIPT 4 , 0.02 end_POSTSUBSCRIPT

We also define the following set of distributions:

𝒯n,g:={Th,Ξ²|hβˆˆβ„•,h≀2c𝗁⁒n2,β∈[ng2,4⁒ng2)}assignsubscript𝒯𝑛𝑔conditional-setsubscriptπ‘‡β„Žπ›½formulae-sequenceβ„Žβ„•formulae-sequenceβ„Žsuperscript2subscript𝑐𝗁superscript𝑛2𝛽𝑛superscript𝑔24𝑛superscript𝑔2{\cal T}_{n,g}:=\{T_{h,\beta}~{}|~{}h\in\mathbb{N},~{}h\leq 2^{{c_{\sf{h}}}n^{2}},~{}\beta\in[\frac{n}{g^{2}},4\frac{n}{g^{2}})\}caligraphic_T start_POSTSUBSCRIPT italic_n , italic_g end_POSTSUBSCRIPT := { italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT | italic_h ∈ blackboard_N , italic_h ≀ 2 start_POSTSUPERSCRIPT italic_c start_POSTSUBSCRIPT sansserif_h end_POSTSUBSCRIPT italic_n start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT , italic_Ξ² ∈ [ divide start_ARG italic_n end_ARG start_ARG italic_g start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG , 4 divide start_ARG italic_n end_ARG start_ARG italic_g start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG ) }

where c𝗁subscript𝑐𝗁{c_{\sf{h}}}italic_c start_POSTSUBSCRIPT sansserif_h end_POSTSUBSCRIPT is a constant specified in LemmaΒ 4.9.

3 Cryptographic Constructions

For a security parameter n𝑛nitalic_n, let N𝑁Nitalic_N be 2c𝖭⁒n2superscript2subscript𝑐𝖭superscript𝑛22^{{c_{\sf{N}}}n^{2}}2 start_POSTSUPERSCRIPT italic_c start_POSTSUBSCRIPT sansserif_N end_POSTSUBSCRIPT italic_n start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT and let mπ‘šmitalic_m be c𝗆⁒n2subscript𝑐𝗆superscript𝑛2{c_{\sf{m}}}n^{2}italic_c start_POSTSUBSCRIPT sansserif_m end_POSTSUBSCRIPT italic_n start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT where c𝖭subscript𝑐𝖭{c_{\sf{N}}}italic_c start_POSTSUBSCRIPT sansserif_N end_POSTSUBSCRIPT and c𝗆subscript𝑐𝗆{c_{\sf{m}}}italic_c start_POSTSUBSCRIPT sansserif_m end_POSTSUBSCRIPT are two constants which will be specified later. Let γ⁒(n)=ω⁒(n⁒log⁑n)π›Ύπ‘›πœ”π‘›π‘›\gamma(n)=\omega(n\sqrt{\log n})italic_Ξ³ ( italic_n ) = italic_Ο‰ ( italic_n square-root start_ARG roman_log italic_n end_ARG ), i.e., any function that satisfies γ⁒(n)n⁒log⁑nβ†’βˆžβ†’π›Ύπ‘›π‘›π‘›\frac{\gamma(n)}{n\sqrt{\log n}}\rightarrow\inftydivide start_ARG italic_Ξ³ ( italic_n ) end_ARG start_ARG italic_n square-root start_ARG roman_log italic_n end_ARG end_ARG β†’ ∞ as n𝑛nitalic_n goes to infinity. The smaller the function, the better the security guarantee becomes. For concreteness, one can choose γ⁒(n)=n⁒log⁑n𝛾𝑛𝑛𝑛\gamma(n)=n\log nitalic_Ξ³ ( italic_n ) = italic_n roman_log italic_n. We also assume that γ⁒(n)≀ncγ𝛾𝑛superscript𝑛subscript𝑐𝛾\gamma(n)\leq n^{{c_{\sf{\gamma}}}}italic_Ξ³ ( italic_n ) ≀ italic_n start_POSTSUPERSCRIPT italic_c start_POSTSUBSCRIPT italic_Ξ³ end_POSTSUBSCRIPT end_POSTSUPERSCRIPT for some constant cΞ³>0subscript𝑐𝛾0{c_{\sf{\gamma}}}>0italic_c start_POSTSUBSCRIPT italic_Ξ³ end_POSTSUBSCRIPT > 0.


Public Key Encryption

  • β€’

    Private key: Let H={h∈[N,2⁒N)|frc⁒(h)<116⁒m}𝐻conditional-setβ„Žπ‘2𝑁frcβ„Ž116π‘šH=\{h\in[\sqrt{N},2\sqrt{N})~{}|~{}\mathrm{frc}(h)<\frac{1}{16m}\}italic_H = { italic_h ∈ [ square-root start_ARG italic_N end_ARG , 2 square-root start_ARG italic_N end_ARG ) | roman_frc ( italic_h ) < divide start_ARG 1 end_ARG start_ARG 16 italic_m end_ARG }. Choose h∈Hβ„Žπ»h\in Hitalic_h ∈ italic_H uniformly at random. Let d𝑑ditalic_d denote Nhπ‘β„Ž\frac{N}{h}divide start_ARG italic_N end_ARG start_ARG italic_h end_ARG. The private key is the number hβ„Žhitalic_h.

  • β€’

    Public Key: Choose β∈[4⁒1(γ⁒(n))2,8⁒1(γ⁒(n))2)𝛽41superscript𝛾𝑛281superscript𝛾𝑛2\beta\in[4\frac{1}{(\gamma(n))^{2}},8\frac{1}{(\gamma(n))^{2}})italic_Ξ² ∈ [ 4 divide start_ARG 1 end_ARG start_ARG ( italic_Ξ³ ( italic_n ) ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG , 8 divide start_ARG 1 end_ARG start_ARG ( italic_Ξ³ ( italic_n ) ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG ) uniformly at random. We choose mπ‘šmitalic_m values z1,…,zmsubscript𝑧1…subscriptπ‘§π‘šz_{1},\ldots,z_{m}italic_z start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_z start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT from Th,Ξ²subscriptπ‘‡β„Žπ›½T_{h,\beta}italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT by choosing x1,…,xmsubscriptπ‘₯1…subscriptπ‘₯π‘šx_{1},\ldots,x_{m}italic_x start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_x start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT and y1,…,ymsubscript𝑦1…subscriptπ‘¦π‘šy_{1},\ldots,y_{m}italic_y start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_y start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT as described in SectionΒ 2.1. Let i0subscript𝑖0i_{0}italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT be an index such that xi0subscriptπ‘₯subscript𝑖0x_{i_{0}}italic_x start_POSTSUBSCRIPT italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT end_POSTSUBSCRIPT is odd (such an i0subscript𝑖0i_{0}italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT exists with probability exponentially close to 1111). For i∈[m]𝑖delimited-[]π‘ši\in[m]italic_i ∈ [ italic_m ], let aisubscriptπ‘Žπ‘–a_{i}italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT denote ⌊Nβ‹…ziβŒ‹β‹…π‘subscript𝑧𝑖{\lfloor N\cdot z_{i}\rfloor}⌊ italic_N β‹… italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT βŒ‹. The public key is (a1,…,am,i0)subscriptπ‘Ž1…subscriptπ‘Žπ‘šsubscript𝑖0(a_{1},\ldots,a_{m},i_{0})( italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT , italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT ).

  • β€’

    Encryption: In order to encrypt a bit we choose a random subset S𝑆Sitalic_S of [m]delimited-[]π‘š[m][ italic_m ]. The encryption is βˆ‘i∈Sai⁒mod⁒Nsubscript𝑖𝑆subscriptπ‘Žπ‘–mod𝑁\sum_{i\in S}a_{i}~{}\mathrm{mod}~{}Nβˆ‘ start_POSTSUBSCRIPT italic_i ∈ italic_S end_POSTSUBSCRIPT italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT roman_mod italic_N if the bit is 0 and βˆ‘i∈Sai+⌊ai02βŒ‹β’mod⁒Nsubscript𝑖𝑆subscriptπ‘Žπ‘–subscriptπ‘Žsubscript𝑖02mod𝑁\sum_{i\in S}a_{i}+{\lfloor\frac{a_{i_{0}}}{2}\rfloor}~{}\mathrm{mod}~{}Nβˆ‘ start_POSTSUBSCRIPT italic_i ∈ italic_S end_POSTSUBSCRIPT italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT + ⌊ divide start_ARG italic_a start_POSTSUBSCRIPT italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT end_POSTSUBSCRIPT end_ARG start_ARG 2 end_ARG βŒ‹ roman_mod italic_N if the bit is 1.

  • β€’

    Decryption: On receiving w∈{0,…,Nβˆ’1}𝑀0…𝑁1w\in\{0,\ldots,N-1\}italic_w ∈ { 0 , … , italic_N - 1 } we decrypt 00 if frc⁒(wd)<14frc𝑀𝑑14\mathrm{frc}(\frac{w}{d})<\frac{1}{4}roman_frc ( divide start_ARG italic_w end_ARG start_ARG italic_d end_ARG ) < divide start_ARG 1 end_ARG start_ARG 4 end_ARG and 1111 otherwise.


A Family of Collision Resistant Hash Functions

  • β€’

    Choose mπ‘šmitalic_m numbers a1,…,amsubscriptπ‘Ž1…subscriptπ‘Žπ‘ša_{1},\ldots,a_{m}italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT uniformly in {0,1,…,Nβˆ’1}01…𝑁1\{0,1,\ldots,N-1\}{ 0 , 1 , … , italic_N - 1 }. The function f:{0,1}mβ†’{0,1,…,Nβˆ’1}:𝑓→superscript01π‘š01…𝑁1f:\{0,1\}^{m}\rightarrow\{0,1,\ldots,N-1\}italic_f : { 0 , 1 } start_POSTSUPERSCRIPT italic_m end_POSTSUPERSCRIPT β†’ { 0 , 1 , … , italic_N - 1 } is defined as:

    f⁒(b)=βˆ‘i=1mbi⁒ai⁒mod⁒N.𝑓𝑏superscriptsubscript𝑖1π‘šsubscript𝑏𝑖subscriptπ‘Žπ‘–mod𝑁f(b)=\sum_{i=1}^{m}b_{i}a_{i}~{}\mathrm{mod}~{}N.italic_f ( italic_b ) = βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_m end_POSTSUPERSCRIPT italic_b start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT roman_mod italic_N .

Notice that if cm>cNsubscriptπ‘π‘šsubscript𝑐𝑁c_{m}>c_{N}italic_c start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT > italic_c start_POSTSUBSCRIPT italic_N end_POSTSUBSCRIPT then f𝑓fitalic_f indeed compresses the size of the input and collisions are guaranteed to exist.

4 Main Theorem

In this section we present a reduction from g⁒(n)𝑔𝑛g(n)italic_g ( italic_n )-uSVP to the problem of distinguishing between two types of distributions on [0,1)01[0,1)[ 0 , 1 ).

Theorem 4.1

Let g⁒(n)𝑔𝑛g(n)italic_g ( italic_n ) be any function such that 4⁒n≀g⁒(n)≀p⁒o⁒l⁒y⁒(n)4π‘›π‘”π‘›π‘π‘œπ‘™π‘¦π‘›4\sqrt{n}\leq g(n)\leq poly(n)4 square-root start_ARG italic_n end_ARG ≀ italic_g ( italic_n ) ≀ italic_p italic_o italic_l italic_y ( italic_n ) and let c𝗁subscript𝑐𝗁{c_{\sf{h}}}italic_c start_POSTSUBSCRIPT sansserif_h end_POSTSUBSCRIPT the constant specified in LemmaΒ 4.9. If there exists a distinguisher between Uπ‘ˆUitalic_U and 𝒯n,g⁒(n)subscript𝒯𝑛𝑔𝑛{\cal T}_{n,g(n)}caligraphic_T start_POSTSUBSCRIPT italic_n , italic_g ( italic_n ) end_POSTSUBSCRIPT then there exists a solution to g⁒(n)𝑔𝑛g(n)italic_g ( italic_n )-uSVP.

  • Proof:

    Let p⁒(n)𝑝𝑛p(n)italic_p ( italic_n ) be a prime larger than g⁒(n)𝑔𝑛g(n)italic_g ( italic_n ) and at most (say) 2⁒g⁒(n)2𝑔𝑛2g(n)2 italic_g ( italic_n ). We can now apply Lemmas 4.2, 4.8 and 4.9 in order to obtain the theorem. Β 

4.1 Reduction to a Decision Problem

We reduce the SVP to the following decision problem:


Decision SVP with parameter p𝑝pitalic_p (d⁒S⁒V⁒Pp𝑑𝑆𝑉subscript𝑃𝑝dSVP_{p}italic_d italic_S italic_V italic_P start_POSTSUBSCRIPT italic_p end_POSTSUBSCRIPT)

  • β€’

    Input: An arbitrary basis (v1,…,vn)subscript𝑣1…subscript𝑣𝑛(v_{1},\ldots,v_{n})( italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT ) of a unique lattice L𝐿Litalic_L and a number α𝛼\alphaitalic_Ξ± such that λ⁒(L)<α≀2⁒λ⁒(L)πœ†πΏπ›Ό2πœ†πΏ\lambda(L)<\alpha\leq 2\lambda(L)italic_Ξ» ( italic_L ) < italic_Ξ± ≀ 2 italic_Ξ» ( italic_L ) and let τ⁒(L)=βˆ‘i=1nai⁒vi𝜏𝐿superscriptsubscript𝑖1𝑛subscriptπ‘Žπ‘–subscript𝑣𝑖\tau(L)=\sum_{i=1}^{n}a_{i}v_{i}italic_Ο„ ( italic_L ) = βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT be the coefficients of the shortest vector.

  • β€’

    Output: YES if p𝑝pitalic_p divides a1subscriptπ‘Ž1a_{1}italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT, NO otherwise.

Lemma 4.2

Let p=p⁒(n)>2𝑝𝑝𝑛2p=p(n)>2italic_p = italic_p ( italic_n ) > 2 be a prime number which is at most polynomial in n𝑛nitalic_n.222The result holds for the case p=2𝑝2p=2italic_p = 2 as well with some technical differences. There exists a reduction from finding the shortest vector in a unique lattice L𝐿Litalic_L to d⁒S⁒V⁒Pp𝑑𝑆𝑉subscript𝑃𝑝dSVP_{p}italic_d italic_S italic_V italic_P start_POSTSUBSCRIPT italic_p end_POSTSUBSCRIPT.333One can guarantee the uniqueness of the shortest vector in any lattice by adding tiny perturbations to the basis vectors. Therefore, the assumption that L𝐿Litalic_L is unique can be avoided. Moreover, if L𝐿Litalic_L is an f⁒(n)𝑓𝑛f(n)italic_f ( italic_n )-unique lattice then all the calls to d⁒S⁒V⁒P𝑑𝑆𝑉𝑃dSVPitalic_d italic_S italic_V italic_P are also with an f⁒(n)𝑓𝑛f(n)italic_f ( italic_n )-unique lattice.

  • Proof:

    It is convenient to have a bound on the coefficients of the shortest vector. So we assume, without loss of generality, that we are given a basis (v1,…,vn)subscript𝑣1…subscript𝑣𝑛(v_{1},\ldots,v_{n})( italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT ) of L𝐿Litalic_L which is LLL reduced. Hence, by ClaimΒ A.8, we get that the coefficients of the shortest vector satisfy |ai|≀22⁒nsubscriptπ‘Žπ‘–superscript22𝑛|a_{i}|\leq 2^{2n}| italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT | ≀ 2 start_POSTSUPERSCRIPT 2 italic_n end_POSTSUPERSCRIPT and β€–v1β€–2n≀λ⁒(L)≀‖v1β€–normsubscript𝑣1superscript2π‘›πœ†πΏnormsubscript𝑣1\frac{\|v_{1}\|}{2^{n}}\leq\lambda(L)\leq\|v_{1}\|divide start_ARG βˆ₯ italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT βˆ₯ end_ARG start_ARG 2 start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT end_ARG ≀ italic_Ξ» ( italic_L ) ≀ βˆ₯ italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT βˆ₯. These are the only properties that we need from the basis and in fact, other bases used throughout this proof will not necessarily be LLL reduced. In the following we describe a procedure ℬ⁒(Ξ±)ℬ𝛼{\cal B}(\alpha)caligraphic_B ( italic_Ξ± ) that finds the shortest vector given an estimate α𝛼\alphaitalic_Ξ± which satisfies λ⁒(L)<α≀2⁒λ⁒(L)πœ†πΏπ›Ό2πœ†πΏ\lambda(L)<\alpha\leq 2\lambda(L)italic_Ξ» ( italic_L ) < italic_Ξ± ≀ 2 italic_Ξ» ( italic_L ). We apply the procedure n𝑛nitalic_n times with Ξ±=2jβˆ’nβ‹…β€–v1‖𝛼⋅superscript2𝑗𝑛normsubscript𝑣1\alpha=2^{j-n}\cdot\|v_{1}\|italic_Ξ± = 2 start_POSTSUPERSCRIPT italic_j - italic_n end_POSTSUPERSCRIPT β‹… βˆ₯ italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT βˆ₯ for j=1,2,…,n+1𝑗12…𝑛1j=1,2,\ldots,n+1italic_j = 1 , 2 , … , italic_n + 1. Notice that when we call ℬℬ{\cal B}caligraphic_B with the wrong value of α𝛼\alphaitalic_Ξ± it can error by either outputting a non-lattice vector or a lattice vector which is longer than the shortest vector. We can easily ignore these errors by checking that the returned vector is a lattice vector and then take the shortest one. Therefore, it is sufficient to show that when α𝛼\alphaitalic_Ξ± satisfies λ⁒(L)<α≀2⁒λ⁒(L)πœ†πΏπ›Ό2πœ†πΏ\lambda(L)<\alpha\leq 2\lambda(L)italic_Ξ» ( italic_L ) < italic_Ξ± ≀ 2 italic_Ξ» ( italic_L ), ℬ⁒(Ξ±)ℬ𝛼{\cal B}(\alpha)caligraphic_B ( italic_Ξ± ) returns the shortest vector. Clearly, one can modify the d⁒S⁒V⁒P𝑑𝑆𝑉𝑃dSVPitalic_d italic_S italic_V italic_P so that it finds whether p|aiconditional𝑝subscriptπ‘Žπ‘–p~{}|~{}a_{i}italic_p | italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT for any i∈[n]𝑖delimited-[]𝑛i\in[n]italic_i ∈ [ italic_n ] (and not just i=1𝑖1i=1italic_i = 1) by simply changing the order of the vectors in the basis given to the d⁒S⁒V⁒P𝑑𝑆𝑉𝑃dSVPitalic_d italic_S italic_V italic_P.

    The procedure ℬℬ{\cal B}caligraphic_B is based on changes to the basis (v1,…,vn)subscript𝑣1…subscript𝑣𝑛(v_{1},\ldots,v_{n})( italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT ). Throughout the procedure we maintain the invariant that the lattice spanned by the current basis is a sublattice of the original lattice and that the shortest vector is unchanged. Notice that this implies that if the original lattice is an f⁒(n)𝑓𝑛f(n)italic_f ( italic_n )-unique lattice then all intermediate lattices are also f⁒(n)𝑓𝑛f(n)italic_f ( italic_n )-unique and hence all the calls to d⁒S⁒V⁒P𝑑𝑆𝑉𝑃dSVPitalic_d italic_S italic_V italic_P are with an f⁒(n)𝑓𝑛f(n)italic_f ( italic_n )-unique lattice, as required. In addition, since the shortest vector is unchanged, the estimate α𝛼\alphaitalic_Ξ± can be used whenever we call the dSVP with an intermediate lattice. The changes to the basis are meant to decrease the coefficients of the shortest vector. We let a1,…,ansubscriptπ‘Ž1…subscriptπ‘Žπ‘›a_{1},\ldots,a_{n}italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT denote the coefficients of the shortest vector according to the current basis. We will show that when the procedure ends all the coefficients of the shortest vector are zero except aisubscriptπ‘Žπ‘–a_{i}italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT for some i∈[n]𝑖delimited-[]𝑛i\in[n]italic_i ∈ [ italic_n ]. This implies that the shortest vector is visubscript𝑣𝑖v_{i}italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT. In the following we describe a routine π’žπ’ž{\cal C}caligraphic_C that will later be used in ℬℬ{\cal B}caligraphic_B.

    The routine π’žβ’(i,j)π’žπ‘–π‘—{\cal C}(i,j)caligraphic_C ( italic_i , italic_j ) where i,j∈[n]𝑖𝑗delimited-[]𝑛i,j\in[n]italic_i , italic_j ∈ [ italic_n ] applies a sequence of changes to the basis. Only the vectors visubscript𝑣𝑖v_{i}italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT and vjsubscript𝑣𝑗v_{j}italic_v start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT in the basis are modified. When the routine finishes it returns the new basis and a bit. If the bit is zero then we are guaranteed that the coefficient aisubscriptπ‘Žπ‘–a_{i}italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT of the shortest vector in the new basis is zero. Otherwise, the bit is one and we are guaranteed that |aj|≀12⁒|ai|subscriptπ‘Žπ‘—12subscriptπ‘Žπ‘–|a_{j}|\leq\frac{1}{2}|a_{i}|| italic_a start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT | ≀ divide start_ARG 1 end_ARG start_ARG 2 end_ARG | italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT | and that aisubscriptπ‘Žπ‘–a_{i}italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT is nonzero. In any case, the value of |ai|subscriptπ‘Žπ‘–|a_{i}|| italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT | does not increase by π’žβ’(i,j)π’žπ‘–π‘—{\cal C}(i,j)caligraphic_C ( italic_i , italic_j ).

    The routine is composed of the following two steps. In the first step we replace visubscript𝑣𝑖v_{i}italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT with pβ‹…vi⋅𝑝subscript𝑣𝑖p\cdot v_{i}italic_p β‹… italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT as long as the d⁒S⁒V⁒P𝑑𝑆𝑉𝑃dSVPitalic_d italic_S italic_V italic_P says that p∣aiconditional𝑝subscriptπ‘Žπ‘–p\mid a_{i}italic_p ∣ italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT and not more than 2⁒n2𝑛2n2 italic_n times. By multiplying visubscript𝑣𝑖v_{i}italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT by p𝑝pitalic_p when p∣aiconditional𝑝subscriptπ‘Žπ‘–p\mid a_{i}italic_p ∣ italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT, we obtain a sublattice that still contains the same shortest vector. The coefficient aisubscriptπ‘Žπ‘–a_{i}italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT decreases by a factor of p𝑝pitalic_p. Since we began with |ai|<22⁒nsubscriptπ‘Žπ‘–superscript22𝑛|a_{i}|<2^{2n}| italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT | < 2 start_POSTSUPERSCRIPT 2 italic_n end_POSTSUPERSCRIPT, if this happens 2⁒n2𝑛2n2 italic_n times then ai=0subscriptπ‘Žπ‘–0a_{i}=0italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT = 0 and therefore in this case we return the current lattice and output a zero bit. Otherwise, we are guaranteed that in the current lattice p∀ainot-divides𝑝subscriptπ‘Žπ‘–p\nmid a_{i}italic_p ∀ italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT.

    In the second step we consider p𝑝pitalic_p different bases where visubscript𝑣𝑖v_{i}italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT is replaced with one of viβˆ’pβˆ’12⁒vj,…,viβˆ’vj,vi,vi+vj,…,vi+pβˆ’12⁒vjsubscript𝑣𝑖𝑝12subscript𝑣𝑗…subscript𝑣𝑖subscript𝑣𝑗subscript𝑣𝑖subscript𝑣𝑖subscript𝑣𝑗…subscript𝑣𝑖𝑝12subscript𝑣𝑗v_{i}-\frac{p-1}{2}v_{j},\ldots,v_{i}-v_{j},v_{i},v_{i}+v_{j},\ldots,v_{i}+\frac{p-1}{2}v_{j}italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT - divide start_ARG italic_p - 1 end_ARG start_ARG 2 end_ARG italic_v start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT - italic_v start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT , italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT + italic_v start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT + divide start_ARG italic_p - 1 end_ARG start_ARG 2 end_ARG italic_v start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT. Notice that all p𝑝pitalic_p bases span the same lattice. Also note that the coefficient ajsubscriptπ‘Žπ‘—a_{j}italic_a start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT changes to aj+pβˆ’12⁒ai,…,aj+ai,aj,ajβˆ’ai,…,ajβˆ’pβˆ’12⁒aisubscriptπ‘Žπ‘—π‘12subscriptπ‘Žπ‘–β€¦subscriptπ‘Žπ‘—subscriptπ‘Žπ‘–subscriptπ‘Žπ‘—subscriptπ‘Žπ‘—subscriptπ‘Žπ‘–β€¦subscriptπ‘Žπ‘—π‘12subscriptπ‘Žπ‘–a_{j}+\frac{p-1}{2}a_{i},\ldots,a_{j}+a_{i},a_{j},a_{j}-a_{i},\ldots,a_{j}-\frac{p-1}{2}a_{i}italic_a start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT + divide start_ARG italic_p - 1 end_ARG start_ARG 2 end_ARG italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT + italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , italic_a start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT , italic_a start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT - italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT - divide start_ARG italic_p - 1 end_ARG start_ARG 2 end_ARG italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT respectively while all other coefficients remain the same. Since p∀ainot-divides𝑝subscriptπ‘Žπ‘–p\nmid a_{i}italic_p ∀ italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT, one of the bases must satisfy that p∣ajconditional𝑝subscriptπ‘Žπ‘—p\mid a_{j}italic_p ∣ italic_a start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT and we can find it by calling d⁒S⁒V⁒Pp𝑑𝑆𝑉subscript𝑃𝑝dSVP_{p}italic_d italic_S italic_V italic_P start_POSTSUBSCRIPT italic_p end_POSTSUBSCRIPT. We choose that basis and then multiply vjsubscript𝑣𝑗v_{j}italic_v start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT by p𝑝pitalic_p. We repeat the above steps (of choosing one of the p𝑝pitalic_p bases and multiplying by p𝑝pitalic_p) 2⁒n2𝑛2n2 italic_n times and then output the resulting lattice with the bit one. With each step, the new |aj|subscriptπ‘Žπ‘—|a_{j}|| italic_a start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT | becomes at most (pβˆ’12⁒|ai|+|aj|)/p=(12βˆ’12⁒p)⁒|ai|+|aj|p𝑝12subscriptπ‘Žπ‘–subscriptπ‘Žπ‘—π‘1212𝑝subscriptπ‘Žπ‘–subscriptπ‘Žπ‘—π‘(\frac{p-1}{2}|a_{i}|+|a_{j}|)/p=(\frac{1}{2}-\frac{1}{2p})|a_{i}|+\frac{|a_{j}|}{p}( divide start_ARG italic_p - 1 end_ARG start_ARG 2 end_ARG | italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT | + | italic_a start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT | ) / italic_p = ( divide start_ARG 1 end_ARG start_ARG 2 end_ARG - divide start_ARG 1 end_ARG start_ARG 2 italic_p end_ARG ) | italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT | + divide start_ARG | italic_a start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT | end_ARG start_ARG italic_p end_ARG. Hence, after 2⁒n2𝑛2n2 italic_n applications, the new |aj|subscriptπ‘Žπ‘—|a_{j}|| italic_a start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT | is at most (12βˆ’12⁒p)⁒(1+1p+…+1p2⁒nβˆ’1)⁒|ai|+|aj|p2⁒n⁒<12|⁒ai|+|aj|p2⁒n1212𝑝11𝑝…1superscript𝑝2𝑛1subscriptπ‘Žπ‘–conditionalsubscriptπ‘Žπ‘—superscript𝑝2𝑛bra12subscriptπ‘Žπ‘–subscriptπ‘Žπ‘—superscript𝑝2𝑛(\frac{1}{2}-\frac{1}{2p})(1+\frac{1}{p}+\ldots+\frac{1}{p^{2n-1}})|a_{i}|+\frac{|a_{j}|}{p^{2n}}<\frac{1}{2}|a_{i}|+\frac{|a_{j}|}{p^{2n}}( divide start_ARG 1 end_ARG start_ARG 2 end_ARG - divide start_ARG 1 end_ARG start_ARG 2 italic_p end_ARG ) ( 1 + divide start_ARG 1 end_ARG start_ARG italic_p end_ARG + … + divide start_ARG 1 end_ARG start_ARG italic_p start_POSTSUPERSCRIPT 2 italic_n - 1 end_POSTSUPERSCRIPT end_ARG ) | italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT | + divide start_ARG | italic_a start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT | end_ARG start_ARG italic_p start_POSTSUPERSCRIPT 2 italic_n end_POSTSUPERSCRIPT end_ARG < divide start_ARG 1 end_ARG start_ARG 2 end_ARG | italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT | + divide start_ARG | italic_a start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT | end_ARG start_ARG italic_p start_POSTSUPERSCRIPT 2 italic_n end_POSTSUPERSCRIPT end_ARG and since ajsubscriptπ‘Žπ‘—a_{j}italic_a start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT is integer this implies |aj|≀12⁒|ai|subscriptπ‘Žπ‘—12subscriptπ‘Žπ‘–|a_{j}|\leq\frac{1}{2}|a_{i}|| italic_a start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT | ≀ divide start_ARG 1 end_ARG start_ARG 2 end_ARG | italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT |. This completes the description of π’žπ’ž{\cal C}caligraphic_C. It is easy to check that all the numbers involved have a polynomial size representation and therefore π’žπ’ž{\cal C}caligraphic_C runs in polynomial time.

    The procedure ℬℬ{\cal B}caligraphic_B works by maintaining a set Z𝑍Zitalic_Z of possibly non-zero coefficients which is initially set to [n]delimited-[]𝑛[n][ italic_n ]. As long as |Z|β‰₯2𝑍2|Z|\geq 2| italic_Z | β‰₯ 2 we perform the following operations. Assume without loss of generality that 1,2∈Z12𝑍1,2\in Z1 , 2 ∈ italic_Z. We alternatively call π’žβ’(1,2)π’ž12{\cal C}(1,2)caligraphic_C ( 1 , 2 ) and π’žβ’(2,1)π’ž21{\cal C}(2,1)caligraphic_C ( 2 , 1 ) until the bit returned in one of the calls is zero. This indicates that one of the coefficients is zero (either a1subscriptπ‘Ž1a_{1}italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT or a2subscriptπ‘Ž2a_{2}italic_a start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT depending on which call returns the zero bit) and we remove it from the set Z𝑍Zitalic_Z. In order to show that the procedure runs in polynomial time, it is enough to show that an element is removed from Z𝑍Zitalic_Z after at most a polynomial number of steps. Notice that after each pair of calls to π’žπ’ž{\cal C}caligraphic_C that returned the bit one |a1|subscriptπ‘Ž1|a_{1}|| italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT | decreases by a factor of at least 4. Therefore, after at most 2⁒n2𝑛2n2 italic_n calls to π’žπ’ž{\cal C}caligraphic_C, a1subscriptπ‘Ž1a_{1}italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT becomes zero and π’žβ’(1,2)π’ž12{\cal C}(1,2)caligraphic_C ( 1 , 2 ) must return the bit zero. Β 

Although not used in this paper, the following is an immediate corollary of the above lemma and might be of independent interest. Basically, it is a reduction from the search SVP to the decision SVP for unique lattices. It is still an open question whether a similar result holds for SVP on general lattices.

Corollary 4.3

For any prime p=p⁒(n)<p⁒o⁒l⁒y⁒(n)π‘π‘π‘›π‘π‘œπ‘™π‘¦π‘›p=p(n)<poly(n)italic_p = italic_p ( italic_n ) < italic_p italic_o italic_l italic_y ( italic_n ) larger than 2 and any f⁒(n)β‰₯1𝑓𝑛1f(n)\geq 1italic_f ( italic_n ) β‰₯ 1, finding the shortest vector in an p⁒(n)⁒f⁒(n)𝑝𝑛𝑓𝑛p(n)f(n)italic_p ( italic_n ) italic_f ( italic_n )-unique lattice can be reduced to the following gap problem: given d𝑑ditalic_d and an f⁒(n)𝑓𝑛f(n)italic_f ( italic_n )-unique lattice, decide whether the length of the shortest vector is at most d𝑑ditalic_d or more than p⁒(n)β‹…dnormal-⋅𝑝𝑛𝑑\sqrt{p(n)}\cdot dsquare-root start_ARG italic_p ( italic_n ) end_ARG β‹… italic_d.

  • Proof:

    According to LemmaΒ 4.2 it is enough to describe a solution to d⁒S⁒V⁒Pp𝑑𝑆𝑉subscript𝑃𝑝dSVP_{p}italic_d italic_S italic_V italic_P start_POSTSUBSCRIPT italic_p end_POSTSUBSCRIPT on pβ‹…f⁒(n)⋅𝑝𝑓𝑛p\cdot f(n)italic_p β‹… italic_f ( italic_n )-unique lattices. Say we are given the lattice L𝐿Litalic_L with the basis (v1,…,vn)subscript𝑣1…subscript𝑣𝑛(v_{1},\ldots,v_{n})( italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT ). By using the gap problem we can approximate λ⁒(L)πœ†πΏ\lambda(L)italic_Ξ» ( italic_L ) and λ⁒(Lβ€²)πœ†superscript𝐿′\lambda(L^{\prime})italic_Ξ» ( italic_L start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT ) up to a factor p𝑝\sqrt{p}square-root start_ARG italic_p end_ARG where Lβ€²superscript𝐿′L^{\prime}italic_L start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT is the lattice spanned by (p⁒v1,v2,…,vn)𝑝subscript𝑣1subscript𝑣2…subscript𝑣𝑛(pv_{1},v_{2},\ldots,v_{n})( italic_p italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , italic_v start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT ). Notice that since p⋅τ⁒(L)∈Lβ€²β‹…π‘πœπΏsuperscript𝐿′p\cdot\tau(L)\in L^{\prime}italic_p β‹… italic_Ο„ ( italic_L ) ∈ italic_L start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT, Lβ€²superscript𝐿′L^{\prime}italic_L start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT is an f⁒(n)𝑓𝑛f(n)italic_f ( italic_n )-unique lattice, as required. Say that λ⁒(L)∈[d1,p⁒d1]πœ†πΏsubscript𝑑1𝑝subscript𝑑1\lambda(L)\in[d_{1},\sqrt{p}d_{1}]italic_Ξ» ( italic_L ) ∈ [ italic_d start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , square-root start_ARG italic_p end_ARG italic_d start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT ] and λ⁒(Lβ€²)∈[d2,p⁒d2]πœ†superscript𝐿′subscript𝑑2𝑝subscript𝑑2\lambda(L^{\prime})\in[d_{2},\sqrt{p}d_{2}]italic_Ξ» ( italic_L start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT ) ∈ [ italic_d start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT , square-root start_ARG italic_p end_ARG italic_d start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT ]. If p∣a1conditional𝑝subscriptπ‘Ž1p\mid a_{1}italic_p ∣ italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT then both lattices contain the same shortest vector and therefore the two ranges intersect. Otherwise, it is easy to see that τ⁒(Lβ€²)=p⋅τ⁒(L)𝜏superscriptπΏβ€²β‹…π‘πœπΏ\tau(L^{\prime})=p\cdot\tau(L)italic_Ο„ ( italic_L start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT ) = italic_p β‹… italic_Ο„ ( italic_L ) and therefore the two ranges do not intersect. Β 

4.2 Gaussian Distributions on Lattices

Let Bnsubscript𝐡𝑛B_{n}italic_B start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT denote the Euclidean unit ball and define ρ⁒(A)𝜌𝐴\rho(A)italic_ρ ( italic_A ) as βˆ‘x∈Aeβˆ’Ο€β’β€–xβ€–2subscriptπ‘₯𝐴superscriptπ‘’πœ‹superscriptnormπ‘₯2\sum_{x\in A}e^{-\pi\|x\|^{2}}βˆ‘ start_POSTSUBSCRIPT italic_x ∈ italic_A end_POSTSUBSCRIPT italic_e start_POSTSUPERSCRIPT - italic_Ο€ βˆ₯ italic_x βˆ₯ start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT. The following lemma by Banaszczyk says that in any lattice L𝐿Litalic_L the contribution to ρ⁒(L)𝜌𝐿\rho(L)italic_ρ ( italic_L ) from points of distance more than n𝑛\sqrt{n}square-root start_ARG italic_n end_ARG is negligible.

Lemma 4.4 ([3], Lemma 1.5(i) with c=1𝑐1c=1italic_c = 1)

For any lattice L𝐿Litalic_L, ρ⁒(Lβˆ’n⁒Bn)<2βˆ’Ξ©β’(n)⁒ρ⁒(L)πœŒπΏπ‘›subscript𝐡𝑛superscript2normal-Ξ©π‘›πœŒπΏ\rho(L-\sqrt{n}B_{n})<2^{-\Omega(n)}\rho(L)italic_ρ ( italic_L - square-root start_ARG italic_n end_ARG italic_B start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT ) < 2 start_POSTSUPERSCRIPT - roman_Ξ© ( italic_n ) end_POSTSUPERSCRIPT italic_ρ ( italic_L ).

The proof of this lemma is not straightforward; a somewhat easier proof can be found in Ε tefankovič’s thesis [18]. A simple corollary of this lemma is that ρ⁒(L)<ρ⁒(L∩n⁒Bn)/(1βˆ’2βˆ’Ξ©β’(n))πœŒπΏπœŒπΏπ‘›subscript𝐡𝑛1superscript2Ω𝑛\rho(L)<\rho(L\cap\sqrt{n}B_{n})/(1-2^{-\Omega(n)})italic_ρ ( italic_L ) < italic_ρ ( italic_L ∩ square-root start_ARG italic_n end_ARG italic_B start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT ) / ( 1 - 2 start_POSTSUPERSCRIPT - roman_Ξ© ( italic_n ) end_POSTSUPERSCRIPT ). We will also use the following formulation of the Poisson summation formula:

Lemma 4.5 ([3], Lemma 1.1(i) with a=Ο€π‘Žπœ‹a=\piitalic_a = italic_Ο€, b=1𝑏1b=1italic_b = 1, y=0𝑦0y=0italic_y = 0)

For any lattice L𝐿Litalic_L and any vector yβˆˆβ„n𝑦superscriptℝ𝑛y\in\mathbb{R}^{n}italic_y ∈ blackboard_R start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT, ρ⁒(L*+y)=d⁒(L)β‹…βˆ‘x∈Le2⁒π⁒i⁒⟨x,y⟩⁒ρ⁒({x})𝜌superscript𝐿𝑦normal-⋅𝑑𝐿subscriptπ‘₯𝐿superscript𝑒2πœ‹π‘–π‘₯π‘¦πœŒπ‘₯\rho(L^{*}+y)=d(L)\cdot\sum_{x\in L}e^{2\pi i{\langle{x,y}\rangle}}\rho(\{x\})italic_ρ ( italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT + italic_y ) = italic_d ( italic_L ) β‹… βˆ‘ start_POSTSUBSCRIPT italic_x ∈ italic_L end_POSTSUBSCRIPT italic_e start_POSTSUPERSCRIPT 2 italic_Ο€ italic_i ⟨ italic_x , italic_y ⟩ end_POSTSUPERSCRIPT italic_ρ ( { italic_x } ).

For a given lattice L𝐿Litalic_L, we consider the distribution obtained by sampling a standard Gaussian centered around the origin and reducing it modulo the fundamental parallelepiped 𝒫⁒(L*)𝒫superscript𝐿{\cal P}(L^{*})caligraphic_P ( italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT ). Equivalently, we consider the following density function defined on 𝒫⁒(L*)𝒫superscript𝐿{\cal P}(L^{*})caligraphic_P ( italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT ):

DL*⁒(x)=ρ⁒(L*+x).subscript𝐷superscript𝐿π‘₯𝜌superscript𝐿π‘₯D_{L^{*}}(x)=\rho(L^{*}+x).italic_D start_POSTSUBSCRIPT italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT end_POSTSUBSCRIPT ( italic_x ) = italic_ρ ( italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT + italic_x ) .

Intuitively, we can think of DL*subscript𝐷superscript𝐿D_{L^{*}}italic_D start_POSTSUBSCRIPT italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT end_POSTSUBSCRIPT as taking Gaussian distributions around β€˜all’ points of L*superscript𝐿L^{*}italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT. Since this distribution is periodic in ℝnsuperscriptℝ𝑛\mathbb{R}^{n}blackboard_R start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT with period 𝒫⁒(L*)𝒫superscript𝐿{\cal P}(L^{*})caligraphic_P ( italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT ), we simplify the analysis by choosing DL*subscript𝐷superscript𝐿D_{L^{*}}italic_D start_POSTSUBSCRIPT italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT end_POSTSUBSCRIPT to be a restriction of the distribution to 𝒫⁒(L*)𝒫superscript𝐿{\cal P}(L^{*})caligraphic_P ( italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT ). In this section we present good approximations to DL*subscript𝐷superscript𝐿D_{L^{*}}italic_D start_POSTSUBSCRIPT italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT end_POSTSUBSCRIPT for two types of lattices L𝐿Litalic_L.

Lemma 4.6

Let L𝐿Litalic_L be a lattice in which all non-zero vectors are of length more than n𝑛\sqrt{n}square-root start_ARG italic_n end_ARG and let UL*⁒(x)=1d⁒(L*)=d⁒(L)subscriptπ‘ˆsuperscript𝐿π‘₯1𝑑superscript𝐿𝑑𝐿U_{L^{*}}(x)=\frac{1}{d(L^{*})}=d(L)italic_U start_POSTSUBSCRIPT italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT end_POSTSUBSCRIPT ( italic_x ) = divide start_ARG 1 end_ARG start_ARG italic_d ( italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT ) end_ARG = italic_d ( italic_L ) be the uniform density function on 𝒫⁒(L*)𝒫superscript𝐿{\cal P}(L^{*})caligraphic_P ( italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT ). Then, Δ⁒(DL*,UL*)<2βˆ’Ξ©β’(n)normal-Ξ”subscript𝐷superscript𝐿subscriptπ‘ˆsuperscript𝐿superscript2normal-Ω𝑛\Delta(D_{L^{*}},U_{L^{*}})<2^{-\Omega(n)}roman_Ξ” ( italic_D start_POSTSUBSCRIPT italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT end_POSTSUBSCRIPT , italic_U start_POSTSUBSCRIPT italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT end_POSTSUBSCRIPT ) < 2 start_POSTSUPERSCRIPT - roman_Ξ© ( italic_n ) end_POSTSUPERSCRIPT.

  • Proof:

    For any yβˆˆβ„n𝑦superscriptℝ𝑛y\in\mathbb{R}^{n}italic_y ∈ blackboard_R start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT,

    |1βˆ’βˆ‘x∈Le2⁒π⁒i⁒⟨x,y⟩⁒ρ⁒({x})|β‰€βˆ‘x∈Lβˆ–n⁒Bnρ⁒({x})=1subscriptπ‘₯𝐿superscript𝑒2πœ‹π‘–π‘₯π‘¦πœŒπ‘₯subscriptπ‘₯𝐿𝑛subscriptπ΅π‘›πœŒπ‘₯absent\displaystyle|1-\sum_{x\in L}e^{2\pi i{\langle{x,y}\rangle}}\rho(\{x\})|\leq\sum_{x\in L\setminus\sqrt{n}B_{n}}\rho(\{x\})=| 1 - βˆ‘ start_POSTSUBSCRIPT italic_x ∈ italic_L end_POSTSUBSCRIPT italic_e start_POSTSUPERSCRIPT 2 italic_Ο€ italic_i ⟨ italic_x , italic_y ⟩ end_POSTSUPERSCRIPT italic_ρ ( { italic_x } ) | ≀ βˆ‘ start_POSTSUBSCRIPT italic_x ∈ italic_L βˆ– square-root start_ARG italic_n end_ARG italic_B start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT end_POSTSUBSCRIPT italic_ρ ( { italic_x } ) =
    ρ⁒(Lβˆ–n⁒Bn)<{1}2βˆ’Ξ©β’(n)⁒ρ⁒(L)<{2}2βˆ’Ξ©β’(n)⁒ρ⁒(L∩n⁒Bn)1βˆ’2βˆ’Ξ©β’(n)≀2βˆ’Ξ©β’(n)superscript1πœŒπΏπ‘›subscript𝐡𝑛superscript2Ξ©π‘›πœŒπΏsuperscript2superscript2Ξ©π‘›πœŒπΏπ‘›subscript𝐡𝑛1superscript2Ω𝑛superscript2Ω𝑛\displaystyle\rho(L\setminus\sqrt{n}B_{n})\stackrel{{\scriptstyle\{1\}}}{{<}}2^{-\Omega(n)}\rho(L)\stackrel{{\scriptstyle\{2\}}}{{<}}2^{-\Omega(n)}\frac{\rho(L\cap\sqrt{n}B_{n})}{1-2^{-\Omega(n)}}\leq 2^{-\Omega(n)}italic_ρ ( italic_L βˆ– square-root start_ARG italic_n end_ARG italic_B start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT ) start_RELOP SUPERSCRIPTOP start_ARG < end_ARG start_ARG { 1 } end_ARG end_RELOP 2 start_POSTSUPERSCRIPT - roman_Ξ© ( italic_n ) end_POSTSUPERSCRIPT italic_ρ ( italic_L ) start_RELOP SUPERSCRIPTOP start_ARG < end_ARG start_ARG { 2 } end_ARG end_RELOP 2 start_POSTSUPERSCRIPT - roman_Ξ© ( italic_n ) end_POSTSUPERSCRIPT divide start_ARG italic_ρ ( italic_L ∩ square-root start_ARG italic_n end_ARG italic_B start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT ) end_ARG start_ARG 1 - 2 start_POSTSUPERSCRIPT - roman_Ξ© ( italic_n ) end_POSTSUPERSCRIPT end_ARG ≀ 2 start_POSTSUPERSCRIPT - roman_Ξ© ( italic_n ) end_POSTSUPERSCRIPT

    where {1}1\{1\}{ 1 } and {2}2\{2\}{ 2 } are due to LemmaΒ 4.4 and the last inequality holds because ρ⁒(L∩n⁒Bn)=1πœŒπΏπ‘›subscript𝐡𝑛1\rho(L\cap\sqrt{n}B_{n})=1italic_ρ ( italic_L ∩ square-root start_ARG italic_n end_ARG italic_B start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT ) = 1. Multiplying by d⁒(L)𝑑𝐿d(L)italic_d ( italic_L ) and using LemmaΒ 4.5 we get,

    |d⁒(L)βˆ’Οβ’(L*+y)|<2βˆ’Ξ©β’(n)⁒d⁒(L).π‘‘πΏπœŒsuperscript𝐿𝑦superscript2Ω𝑛𝑑𝐿|d(L)-\rho(L^{*}+y)|<2^{-\Omega(n)}d(L).| italic_d ( italic_L ) - italic_ρ ( italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT + italic_y ) | < 2 start_POSTSUPERSCRIPT - roman_Ξ© ( italic_n ) end_POSTSUPERSCRIPT italic_d ( italic_L ) .

    We conclude the proof by integrating over 𝒫⁒(L*)𝒫superscript𝐿{\cal P}(L^{*})caligraphic_P ( italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT ),

    Δ⁒(DL*,UL*)<2βˆ’Ξ©β’(n).Ξ”subscript𝐷superscript𝐿subscriptπ‘ˆsuperscript𝐿superscript2Ω𝑛\Delta(D_{L^{*}},U_{L^{*}})<2^{-\Omega(n)}.roman_Ξ” ( italic_D start_POSTSUBSCRIPT italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT end_POSTSUBSCRIPT , italic_U start_POSTSUBSCRIPT italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT end_POSTSUBSCRIPT ) < 2 start_POSTSUPERSCRIPT - roman_Ξ© ( italic_n ) end_POSTSUPERSCRIPT .

    Β 

For any vector v∈L𝑣𝐿v\in Litalic_v ∈ italic_L define the density function TL*,vsubscript𝑇superscript𝐿𝑣T_{L^{*},v}italic_T start_POSTSUBSCRIPT italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT , italic_v end_POSTSUBSCRIPT on 𝒫⁒(L*)𝒫superscript𝐿{\cal P}(L^{*})caligraphic_P ( italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT ) as

TL*,v⁒(x)=d⁒(L)β€–vβ€–β’βˆ‘kβˆˆβ„€eβˆ’Ο€β’(k+⟨v,xβŸ©β€–vβ€–)2.subscript𝑇superscript𝐿𝑣π‘₯𝑑𝐿norm𝑣subscriptπ‘˜β„€superscriptπ‘’πœ‹superscriptπ‘˜π‘£π‘₯norm𝑣2T_{L^{*},v}(x)=\frac{d(L)}{\|v\|}\sum_{k\in{\mathbb{Z}}}e^{-\pi(\frac{k+{\langle{v,x}\rangle}}{\|v\|})^{2}}.italic_T start_POSTSUBSCRIPT italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT , italic_v end_POSTSUBSCRIPT ( italic_x ) = divide start_ARG italic_d ( italic_L ) end_ARG start_ARG βˆ₯ italic_v βˆ₯ end_ARG βˆ‘ start_POSTSUBSCRIPT italic_k ∈ blackboard_Z end_POSTSUBSCRIPT italic_e start_POSTSUPERSCRIPT - italic_Ο€ ( divide start_ARG italic_k + ⟨ italic_v , italic_x ⟩ end_ARG start_ARG βˆ₯ italic_v βˆ₯ end_ARG ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT .

According to ClaimΒ A.5 it is indeed a density function.

Lemma 4.7

Let L𝐿Litalic_L be a lattice with a shortest vector u𝑒uitalic_u in which all vectors not parallel to u𝑒uitalic_u are of length more than n𝑛\sqrt{n}square-root start_ARG italic_n end_ARG. Then, Δ⁒(DL*,TL*,u)<2βˆ’Ξ©β’(n)⁒(1+1β€–uβ€–)normal-Ξ”subscript𝐷superscript𝐿subscript𝑇superscript𝐿𝑒superscript2normal-Ω𝑛11norm𝑒\Delta(D_{L^{*}},T_{L^{*},u})<2^{-\Omega(n)}(1+\frac{1}{\|u\|})roman_Ξ” ( italic_D start_POSTSUBSCRIPT italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT end_POSTSUBSCRIPT , italic_T start_POSTSUBSCRIPT italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT , italic_u end_POSTSUBSCRIPT ) < 2 start_POSTSUPERSCRIPT - roman_Ξ© ( italic_n ) end_POSTSUPERSCRIPT ( 1 + divide start_ARG 1 end_ARG start_ARG βˆ₯ italic_u βˆ₯ end_ARG ). In particular, if β€–uβ€–β‰₯1ncnorm𝑒1superscript𝑛𝑐\|u\|\geq\frac{1}{n^{c}}βˆ₯ italic_u βˆ₯ β‰₯ divide start_ARG 1 end_ARG start_ARG italic_n start_POSTSUPERSCRIPT italic_c end_POSTSUPERSCRIPT end_ARG for some c>0𝑐0c>0italic_c > 0 then Δ⁒(DL*,TL*,u)<2βˆ’Ξ©β’(n)normal-Ξ”subscript𝐷superscript𝐿subscript𝑇superscript𝐿𝑒superscript2normal-Ω𝑛\Delta(D_{L^{*}},T_{L^{*},u})<2^{-\Omega(n)}roman_Ξ” ( italic_D start_POSTSUBSCRIPT italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT end_POSTSUBSCRIPT , italic_T start_POSTSUBSCRIPT italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT , italic_u end_POSTSUBSCRIPT ) < 2 start_POSTSUPERSCRIPT - roman_Ξ© ( italic_n ) end_POSTSUPERSCRIPT.

  • Proof:

    For any yβˆˆβ„n𝑦superscriptℝ𝑛y\in\mathbb{R}^{n}italic_y ∈ blackboard_R start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT,

    |βˆ‘x∈Le2⁒π⁒i⁒⟨x,y⟩⁒ρ⁒({x})βˆ’βˆ‘kβˆˆβ„€e2⁒π⁒i⁒k⁒⟨u,y⟩⁒ρ⁒({k⁒u})|<subscriptπ‘₯𝐿superscript𝑒2πœ‹π‘–π‘₯π‘¦πœŒπ‘₯subscriptπ‘˜β„€superscript𝑒2πœ‹π‘–π‘˜π‘’π‘¦πœŒπ‘˜π‘’absent\displaystyle{\left|{\sum_{x\in L}e^{2\pi i{\langle{x,y}\rangle}}\rho(\{x\})-\sum_{k\in{\mathbb{Z}}}e^{2\pi ik{\langle{u,y}\rangle}}\rho(\{ku\})}\right|}<| βˆ‘ start_POSTSUBSCRIPT italic_x ∈ italic_L end_POSTSUBSCRIPT italic_e start_POSTSUPERSCRIPT 2 italic_Ο€ italic_i ⟨ italic_x , italic_y ⟩ end_POSTSUPERSCRIPT italic_ρ ( { italic_x } ) - βˆ‘ start_POSTSUBSCRIPT italic_k ∈ blackboard_Z end_POSTSUBSCRIPT italic_e start_POSTSUPERSCRIPT 2 italic_Ο€ italic_i italic_k ⟨ italic_u , italic_y ⟩ end_POSTSUPERSCRIPT italic_ρ ( { italic_k italic_u } ) | <
    βˆ‘x∈Lβˆ–n⁒Bnρ⁒({x})=ρ⁒(Lβˆ–n⁒Bn)<{1}2βˆ’Ξ©β’(n)⁒ρ⁒(L)≀{2}2βˆ’Ξ©β’(n)⁒11βˆ’2βˆ’Ξ©β’(n)⁒ρ⁒({k⁒u|kβˆˆβ„€})≀subscriptπ‘₯𝐿𝑛subscriptπ΅π‘›πœŒπ‘₯πœŒπΏπ‘›subscript𝐡𝑛superscript1superscript2Ξ©π‘›πœŒπΏsuperscript2superscript2Ω𝑛11superscript2Ξ©π‘›πœŒconditional-setπ‘˜π‘’π‘˜β„€absent\displaystyle\sum_{x\in L\setminus\sqrt{n}B_{n}}\rho(\{x\})=\rho(L\setminus\sqrt{n}B_{n})\stackrel{{\scriptstyle\{1\}}}{{<}}2^{-\Omega(n)}\rho(L)\stackrel{{\scriptstyle\{2\}}}{{\leq}}2^{-\Omega(n)}\frac{1}{1-2^{-\Omega(n)}}\rho(\{ku|k\in{\mathbb{Z}}\})\leqβˆ‘ start_POSTSUBSCRIPT italic_x ∈ italic_L βˆ– square-root start_ARG italic_n end_ARG italic_B start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT end_POSTSUBSCRIPT italic_ρ ( { italic_x } ) = italic_ρ ( italic_L βˆ– square-root start_ARG italic_n end_ARG italic_B start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT ) start_RELOP SUPERSCRIPTOP start_ARG < end_ARG start_ARG { 1 } end_ARG end_RELOP 2 start_POSTSUPERSCRIPT - roman_Ξ© ( italic_n ) end_POSTSUPERSCRIPT italic_ρ ( italic_L ) start_RELOP SUPERSCRIPTOP start_ARG ≀ end_ARG start_ARG { 2 } end_ARG end_RELOP 2 start_POSTSUPERSCRIPT - roman_Ξ© ( italic_n ) end_POSTSUPERSCRIPT divide start_ARG 1 end_ARG start_ARG 1 - 2 start_POSTSUPERSCRIPT - roman_Ξ© ( italic_n ) end_POSTSUPERSCRIPT end_ARG italic_ρ ( { italic_k italic_u | italic_k ∈ blackboard_Z } ) ≀
    2βˆ’Ξ©β’(n)⁒ρ⁒({k⁒u|kβˆˆβ„€})≀{3}2βˆ’Ξ©β’(n)⁒(1+1β€–uβ€–)superscript3superscript2Ξ©π‘›πœŒconditional-setπ‘˜π‘’π‘˜β„€superscript2Ω𝑛11norm𝑒\displaystyle 2^{-\Omega(n)}\rho(\{ku|k\in{\mathbb{Z}}\})\stackrel{{\scriptstyle\{3\}}}{{\leq}}2^{-\Omega(n)}(1+\frac{1}{\|u\|})2 start_POSTSUPERSCRIPT - roman_Ξ© ( italic_n ) end_POSTSUPERSCRIPT italic_ρ ( { italic_k italic_u | italic_k ∈ blackboard_Z } ) start_RELOP SUPERSCRIPTOP start_ARG ≀ end_ARG start_ARG { 3 } end_ARG end_RELOP 2 start_POSTSUPERSCRIPT - roman_Ξ© ( italic_n ) end_POSTSUPERSCRIPT ( 1 + divide start_ARG 1 end_ARG start_ARG βˆ₯ italic_u βˆ₯ end_ARG )

    where {1}1\{1\}{ 1 } and {2}2\{2\}{ 2 } are due to LemmaΒ 4.4 and {3}3\{3\}{ 3 } is due to ClaimΒ A.2 with x=0π‘₯0x=0italic_x = 0. By multiplying by d⁒(L)𝑑𝐿d(L)italic_d ( italic_L ) we get

    |ρ⁒(L*+y)βˆ’d⁒(L)β’βˆ‘kβˆˆβ„€e2⁒π⁒i⁒k⁒⟨u,y⟩⁒ρ⁒({k⁒u})|<2βˆ’Ξ©β’(n)⁒(1+1β€–uβ€–)β‹…d⁒(L).𝜌superscript𝐿𝑦𝑑𝐿subscriptπ‘˜β„€superscript𝑒2πœ‹π‘–π‘˜π‘’π‘¦πœŒπ‘˜π‘’β‹…superscript2Ω𝑛11norm𝑒𝑑𝐿|\rho(L^{*}+y)-d(L)\sum_{k\in{\mathbb{Z}}}e^{2\pi ik{\langle{u,y}\rangle}}\rho(\{ku\})|<2^{-\Omega(n)}(1+\frac{1}{\|u\|})\cdot d(L).| italic_ρ ( italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT + italic_y ) - italic_d ( italic_L ) βˆ‘ start_POSTSUBSCRIPT italic_k ∈ blackboard_Z end_POSTSUBSCRIPT italic_e start_POSTSUPERSCRIPT 2 italic_Ο€ italic_i italic_k ⟨ italic_u , italic_y ⟩ end_POSTSUPERSCRIPT italic_ρ ( { italic_k italic_u } ) | < 2 start_POSTSUPERSCRIPT - roman_Ξ© ( italic_n ) end_POSTSUPERSCRIPT ( 1 + divide start_ARG 1 end_ARG start_ARG βˆ₯ italic_u βˆ₯ end_ARG ) β‹… italic_d ( italic_L ) . (2)

    Consider the one dimensional lattice M𝑀Mitalic_M spanned by the number β€–uβ€–norm𝑒\|u\|βˆ₯ italic_u βˆ₯. Clearly, the lattice M*superscript𝑀M^{*}italic_M start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT is spanned by the number 1β€–uβ€–1norm𝑒\frac{1}{\|u\|}divide start_ARG 1 end_ARG start_ARG βˆ₯ italic_u βˆ₯ end_ARG. According to LemmaΒ 4.5 for any aβˆˆβ„π‘Žβ„a\in\mathbb{R}italic_a ∈ blackboard_R,

    ρ⁒(M*+a)=d⁒(M)β’βˆ‘b∈Me2⁒π⁒i⁒a⁒b⁒ρ⁒({b})=β€–uβ€–β’βˆ‘kβˆˆβ„€e2⁒π⁒i⁒k⁒a⁒‖u‖⁒ρ⁒({k⁒u}).𝜌superscriptπ‘€π‘Žπ‘‘π‘€subscript𝑏𝑀superscript𝑒2πœ‹π‘–π‘Žπ‘πœŒπ‘norm𝑒subscriptπ‘˜β„€superscript𝑒2πœ‹π‘–π‘˜π‘Žnormπ‘’πœŒπ‘˜π‘’\rho(M^{*}+a)=d(M)\sum_{b\in M}e^{2\pi iab}\rho(\{b\})=\|u\|\sum_{k\in{\mathbb{Z}}}e^{2\pi ika\|u\|}\rho(\{ku\}).italic_ρ ( italic_M start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT + italic_a ) = italic_d ( italic_M ) βˆ‘ start_POSTSUBSCRIPT italic_b ∈ italic_M end_POSTSUBSCRIPT italic_e start_POSTSUPERSCRIPT 2 italic_Ο€ italic_i italic_a italic_b end_POSTSUPERSCRIPT italic_ρ ( { italic_b } ) = βˆ₯ italic_u βˆ₯ βˆ‘ start_POSTSUBSCRIPT italic_k ∈ blackboard_Z end_POSTSUBSCRIPT italic_e start_POSTSUPERSCRIPT 2 italic_Ο€ italic_i italic_k italic_a βˆ₯ italic_u βˆ₯ end_POSTSUPERSCRIPT italic_ρ ( { italic_k italic_u } ) .

    Therefore, taking a=⟨u,y⟩/β€–uβ€–π‘Žπ‘’π‘¦norm𝑒a={\langle{u,y}\rangle}/\|u\|italic_a = ⟨ italic_u , italic_y ⟩ / βˆ₯ italic_u βˆ₯,

    d⁒(L)β’βˆ‘kβˆˆβ„€e2⁒π⁒i⁒k⁒⟨u,y⟩⁒ρ⁒({k⁒u})=d⁒(L)β€–u‖⁒ρ⁒(M*+⟨u,yβŸ©β€–uβ€–)=TL*,u⁒(y)𝑑𝐿subscriptπ‘˜β„€superscript𝑒2πœ‹π‘–π‘˜π‘’π‘¦πœŒπ‘˜π‘’π‘‘πΏnormπ‘’πœŒsuperscript𝑀𝑒𝑦norm𝑒subscript𝑇superscript𝐿𝑒𝑦\displaystyle d(L)\sum_{k\in{\mathbb{Z}}}e^{2\pi ik{\langle{u,y}\rangle}}\rho(\{ku\})=\frac{d(L)}{\|u\|}\rho(M^{*}+\frac{{\langle{u,y}\rangle}}{\|u\|})=T_{L^{*},u}(y)italic_d ( italic_L ) βˆ‘ start_POSTSUBSCRIPT italic_k ∈ blackboard_Z end_POSTSUBSCRIPT italic_e start_POSTSUPERSCRIPT 2 italic_Ο€ italic_i italic_k ⟨ italic_u , italic_y ⟩ end_POSTSUPERSCRIPT italic_ρ ( { italic_k italic_u } ) = divide start_ARG italic_d ( italic_L ) end_ARG start_ARG βˆ₯ italic_u βˆ₯ end_ARG italic_ρ ( italic_M start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT + divide start_ARG ⟨ italic_u , italic_y ⟩ end_ARG start_ARG βˆ₯ italic_u βˆ₯ end_ARG ) = italic_T start_POSTSUBSCRIPT italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT , italic_u end_POSTSUBSCRIPT ( italic_y )

    We conclude the proof by integrating (2) over 𝒫⁒(L*)𝒫superscript𝐿{\cal P}(L^{*})caligraphic_P ( italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT ):

    Δ⁒(DL*,TL*,u)<2βˆ’Ξ©β’(n)⁒(1+1β€–uβ€–).Ξ”subscript𝐷superscript𝐿subscript𝑇superscript𝐿𝑒superscript2Ω𝑛11norm𝑒\Delta(D_{L^{*}},T_{L^{*},u})<2^{-\Omega(n)}(1+\frac{1}{\|u\|}).roman_Ξ” ( italic_D start_POSTSUBSCRIPT italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT end_POSTSUBSCRIPT , italic_T start_POSTSUBSCRIPT italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT , italic_u end_POSTSUBSCRIPT ) < 2 start_POSTSUPERSCRIPT - roman_Ξ© ( italic_n ) end_POSTSUPERSCRIPT ( 1 + divide start_ARG 1 end_ARG start_ARG βˆ₯ italic_u βˆ₯ end_ARG ) .

    Β 

4.3 Two Indistinguishable Distributions

Lemma 4.8

Let g⁒(n)<p⁒(n)𝑔𝑛𝑝𝑛g(n)<p(n)italic_g ( italic_n ) < italic_p ( italic_n ) be such that p⁒(n)𝑝𝑛p(n)italic_p ( italic_n ) is a prime and both are at most polynomial in n𝑛nitalic_n. Solving d⁒S⁒V⁒Pp⁒(n)𝑑𝑆𝑉subscript𝑃𝑝𝑛dSVP_{p(n)}italic_d italic_S italic_V italic_P start_POSTSUBSCRIPT italic_p ( italic_n ) end_POSTSUBSCRIPT on g⁒(n)𝑔𝑛g(n)italic_g ( italic_n )-unique lattices can be reduced to the problem of distinguishing between UL*subscriptπ‘ˆsuperscript𝐿U_{L^{*}}italic_U start_POSTSUBSCRIPT italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT end_POSTSUBSCRIPT and TL*,τ⁒(L)subscript𝑇superscript𝐿𝜏𝐿T_{L^{*},\tau(L)}italic_T start_POSTSUBSCRIPT italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT , italic_Ο„ ( italic_L ) end_POSTSUBSCRIPT where L𝐿Litalic_L is given as an L⁒L⁒L𝐿𝐿𝐿LLLitalic_L italic_L italic_L reduced basis and λ⁒(L)∈[ng⁒(n),2⁒ng⁒(n))πœ†πΏπ‘›π‘”π‘›2𝑛𝑔𝑛\lambda(L)\in[\frac{\sqrt{n}}{g(n)},\frac{2\sqrt{n}}{g(n)})italic_Ξ» ( italic_L ) ∈ [ divide start_ARG square-root start_ARG italic_n end_ARG end_ARG start_ARG italic_g ( italic_n ) end_ARG , divide start_ARG 2 square-root start_ARG italic_n end_ARG end_ARG start_ARG italic_g ( italic_n ) end_ARG ).

  • Proof:

    We are given a basis (v1,…,vn)subscript𝑣1…subscript𝑣𝑛(v_{1},\ldots,v_{n})( italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT ) of a g⁒(n)𝑔𝑛g(n)italic_g ( italic_n )-unique lattice L𝐿Litalic_L and a number α𝛼\alphaitalic_Ξ± such that λ⁒(L)<α≀2⁒λ⁒(L)πœ†πΏπ›Ό2πœ†πΏ\lambda(L)<\alpha\leq 2\lambda(L)italic_Ξ» ( italic_L ) < italic_Ξ± ≀ 2 italic_Ξ» ( italic_L ). Let Lβ€²superscript𝐿′L^{\prime}italic_L start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT be the lattice L𝐿Litalic_L scaled by a factor 2⁒nΞ±β‹…g⁒(n)2𝑛⋅𝛼𝑔𝑛\frac{2\sqrt{n}}{\alpha\cdot g(n)}divide start_ARG 2 square-root start_ARG italic_n end_ARG end_ARG start_ARG italic_Ξ± β‹… italic_g ( italic_n ) end_ARG, i.e., the lattice spanned by the basis (v1β€²,…,vnβ€²):=2⁒nΞ±β‹…g⁒(n)⁒(v1,…,vn)assignsuperscriptsubscript𝑣1′…superscriptsubscript𝑣𝑛′2𝑛⋅𝛼𝑔𝑛subscript𝑣1…subscript𝑣𝑛(v_{1}^{\prime},\ldots,v_{n}^{\prime}):=\frac{2\sqrt{n}}{\alpha\cdot g(n)}(v_{1},\ldots,v_{n})( italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT ) := divide start_ARG 2 square-root start_ARG italic_n end_ARG end_ARG start_ARG italic_Ξ± β‹… italic_g ( italic_n ) end_ARG ( italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT ). Notice that in Lβ€²superscript𝐿′L^{\prime}italic_L start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT the shortest vector τ⁒(Lβ€²)=βˆ‘i=1nai⁒viβ€²πœsuperscript𝐿′superscriptsubscript𝑖1𝑛subscriptπ‘Žπ‘–superscriptsubscript𝑣𝑖′\tau(L^{\prime})=\sum_{i=1}^{n}a_{i}v_{i}^{\prime}italic_Ο„ ( italic_L start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT ) = βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT is of length in [ng⁒(n),2⁒ng⁒(n))𝑛𝑔𝑛2𝑛𝑔𝑛[\frac{\sqrt{n}}{g(n)},\frac{2\sqrt{n}}{g(n)})[ divide start_ARG square-root start_ARG italic_n end_ARG end_ARG start_ARG italic_g ( italic_n ) end_ARG , divide start_ARG 2 square-root start_ARG italic_n end_ARG end_ARG start_ARG italic_g ( italic_n ) end_ARG ) and any vector not parallel to τ⁒(Lβ€²)𝜏superscript𝐿′\tau(L^{\prime})italic_Ο„ ( italic_L start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT ) is of length at least g⁒(n)β‹…ng⁒(n)=n⋅𝑔𝑛𝑛𝑔𝑛𝑛g(n)\cdot\frac{\sqrt{n}}{g(n)}=\sqrt{n}italic_g ( italic_n ) β‹… divide start_ARG square-root start_ARG italic_n end_ARG end_ARG start_ARG italic_g ( italic_n ) end_ARG = square-root start_ARG italic_n end_ARG. Now, let M𝑀Mitalic_M be the lattice spanned by the basis (p⁒(n)⁒v1β€²,v2β€²,…,vnβ€²)𝑝𝑛superscriptsubscript𝑣1β€²superscriptsubscript𝑣2′…superscriptsubscript𝑣𝑛′(p(n)v_{1}^{\prime},v_{2}^{\prime},\ldots,v_{n}^{\prime})( italic_p ( italic_n ) italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT , italic_v start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT ). If p⁒(n)∣a1conditional𝑝𝑛subscriptπ‘Ž1p(n)\mid a_{1}italic_p ( italic_n ) ∣ italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT then τ⁒(M)=τ⁒(Lβ€²)πœπ‘€πœsuperscript𝐿′\tau(M)=\tau(L^{\prime})italic_Ο„ ( italic_M ) = italic_Ο„ ( italic_L start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT ) and therefore its length is in [ng⁒(n),2⁒ng⁒(n))𝑛𝑔𝑛2𝑛𝑔𝑛[\frac{\sqrt{n}}{g(n)},\frac{2\sqrt{n}}{g(n)})[ divide start_ARG square-root start_ARG italic_n end_ARG end_ARG start_ARG italic_g ( italic_n ) end_ARG , divide start_ARG 2 square-root start_ARG italic_n end_ARG end_ARG start_ARG italic_g ( italic_n ) end_ARG ). Also, since MβŠ†L′𝑀superscript𝐿′M\subseteq L^{\prime}italic_M βŠ† italic_L start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT, any vector in M𝑀Mitalic_M not parallel to τ⁒(M)πœπ‘€\tau(M)italic_Ο„ ( italic_M ) is of length at least n𝑛\sqrt{n}square-root start_ARG italic_n end_ARG. If p⁒(n)∀a1not-divides𝑝𝑛subscriptπ‘Ž1p(n)\nmid a_{1}italic_p ( italic_n ) ∀ italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT then the shortest multiple of τ⁒(Lβ€²)𝜏superscript𝐿′\tau(L^{\prime})italic_Ο„ ( italic_L start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT ) that is contained in M𝑀Mitalic_M is p⁒(n)⋅τ⁒(Lβ€²)β‹…π‘π‘›πœsuperscript𝐿′p(n)\cdot\tau(L^{\prime})italic_p ( italic_n ) β‹… italic_Ο„ ( italic_L start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT ) whose length is at least p⁒(n)β‹…ng⁒(n)>n⋅𝑝𝑛𝑛𝑔𝑛𝑛p(n)\cdot\frac{\sqrt{n}}{g(n)}>\sqrt{n}italic_p ( italic_n ) β‹… divide start_ARG square-root start_ARG italic_n end_ARG end_ARG start_ARG italic_g ( italic_n ) end_ARG > square-root start_ARG italic_n end_ARG. Hence, in this case all non-zero vectors are of length at least n𝑛\sqrt{n}square-root start_ARG italic_n end_ARG.

    Clearly, we can take an LLL reduced basis of the lattice M𝑀Mitalic_M without changing the properties of the lattice described above. Now consider the distribution DM*subscript𝐷superscript𝑀D_{M^{*}}italic_D start_POSTSUBSCRIPT italic_M start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT end_POSTSUBSCRIPT. We can efficiently sample from it by sampling a Gaussian centered around the origin with standard deviation 12⁒π12πœ‹\frac{1}{\sqrt{2\pi}}divide start_ARG 1 end_ARG start_ARG square-root start_ARG 2 italic_Ο€ end_ARG end_ARG and reducing it modulo 𝒫⁒(M*)𝒫superscript𝑀{\cal P}(M^{*})caligraphic_P ( italic_M start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT ). According to LemmaΒ 4.7, if p⁒(n)∣a1conditional𝑝𝑛subscriptπ‘Ž1p(n)\mid a_{1}italic_p ( italic_n ) ∣ italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT then the distribution is exponentially close to TM*,τ⁒(M)subscript𝑇superscriptπ‘€πœπ‘€T_{M^{*},\tau(M)}italic_T start_POSTSUBSCRIPT italic_M start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT , italic_Ο„ ( italic_M ) end_POSTSUBSCRIPT. On the other hand, if p⁒(n)∀a1not-divides𝑝𝑛subscriptπ‘Ž1p(n)\nmid a_{1}italic_p ( italic_n ) ∀ italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT, LemmaΒ 4.6 says that the distribution is exponentially close to the uniform distribution UM*subscriptπ‘ˆsuperscript𝑀U_{M^{*}}italic_U start_POSTSUBSCRIPT italic_M start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT end_POSTSUBSCRIPT. Therefore, we can decide with non-negligible probability if p⁒(n)∣a1conditional𝑝𝑛subscriptπ‘Ž1p(n)\mid a_{1}italic_p ( italic_n ) ∣ italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT by calling an algorithm that distinguishes between TM*,τ⁒(M)subscript𝑇superscriptπ‘€πœπ‘€T_{M^{*},\tau(M)}italic_T start_POSTSUBSCRIPT italic_M start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT , italic_Ο„ ( italic_M ) end_POSTSUBSCRIPT and UM*subscriptπ‘ˆsuperscript𝑀U_{M^{*}}italic_U start_POSTSUBSCRIPT italic_M start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT end_POSTSUBSCRIPT. The error probability can be made exponentially small by calling the algorithm a polynomial number of times and taking the majority. Β 

4.4 One Dimensional Distributions

Lemma 4.9

There exists a constant c𝗁subscript𝑐𝗁{c_{\sf{h}}}italic_c start_POSTSUBSCRIPT sansserif_h end_POSTSUBSCRIPT such that for any g⁒(n)β‰₯4⁒n𝑔𝑛4𝑛g(n)\geq 4\sqrt{n}italic_g ( italic_n ) β‰₯ 4 square-root start_ARG italic_n end_ARG, g⁒(n)≀p⁒o⁒l⁒y⁒(n)π‘”π‘›π‘π‘œπ‘™π‘¦π‘›g(n)\leq poly(n)italic_g ( italic_n ) ≀ italic_p italic_o italic_l italic_y ( italic_n ), the problem of distinguishing between UL*subscriptπ‘ˆsuperscript𝐿U_{L^{*}}italic_U start_POSTSUBSCRIPT italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT end_POSTSUBSCRIPT and TL*,τ⁒(L)subscript𝑇superscript𝐿𝜏𝐿T_{L^{*},\tau(L)}italic_T start_POSTSUBSCRIPT italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT , italic_Ο„ ( italic_L ) end_POSTSUBSCRIPT for a lattice L𝐿Litalic_L given as an LLL reduced basis for which λ⁒(L)∈[ng⁒(n),2⁒ng⁒(n))πœ†πΏπ‘›π‘”π‘›2𝑛𝑔𝑛\lambda(L)\in[\frac{\sqrt{n}}{g(n)},\frac{2\sqrt{n}}{g(n)})italic_Ξ» ( italic_L ) ∈ [ divide start_ARG square-root start_ARG italic_n end_ARG end_ARG start_ARG italic_g ( italic_n ) end_ARG , divide start_ARG 2 square-root start_ARG italic_n end_ARG end_ARG start_ARG italic_g ( italic_n ) end_ARG ) can be reduced to the problem of distinguishing between Uπ‘ˆUitalic_U and 𝒯n,g⁒(n)subscript𝒯𝑛𝑔𝑛{\cal T}_{n,g(n)}caligraphic_T start_POSTSUBSCRIPT italic_n , italic_g ( italic_n ) end_POSTSUBSCRIPT.

  • Proof:

    Let v1,…,vnsubscript𝑣1…subscript𝑣𝑛v_{1},\ldots,v_{n}italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT denote the L⁒L⁒L𝐿𝐿𝐿LLLitalic_L italic_L italic_L reduced basis of L𝐿Litalic_L and let v1*,…,vn*subscriptsuperscript𝑣1…subscriptsuperscript𝑣𝑛v^{*}_{1},\ldots,v^{*}_{n}italic_v start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_v start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT be the dual basis of L*superscript𝐿L^{*}italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT, i.e., a basis of L*superscript𝐿L^{*}italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT such that ⟨vi,vj*⟩=Ξ΄i⁒jsubscript𝑣𝑖subscriptsuperscript𝑣𝑗subscript𝛿𝑖𝑗{\langle{v_{i},v^{*}_{j}}\rangle}=\delta_{ij}⟨ italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , italic_v start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT ⟩ = italic_Ξ΄ start_POSTSUBSCRIPT italic_i italic_j end_POSTSUBSCRIPT. For some large integer K𝐾Kitalic_K to be chosen later, consider a function f𝑓fitalic_f which maps a vector v=βˆ‘i=1nai⁒vi*𝑣superscriptsubscript𝑖1𝑛subscriptπ‘Žπ‘–subscriptsuperscript𝑣𝑖v=\sum_{i=1}^{n}a_{i}v^{*}_{i}italic_v = βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT italic_v start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT in 𝒫⁒(L*)𝒫superscript𝐿{\cal P}(L^{*})caligraphic_P ( italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT ) to ⌊K⁒a1βŒ‹K+⌊K⁒a2βŒ‹K2+…+⌊K⁒anβˆ’1βŒ‹Knβˆ’1+anKn∈[0,1)𝐾subscriptπ‘Ž1𝐾𝐾subscriptπ‘Ž2superscript𝐾2…𝐾subscriptπ‘Žπ‘›1superscript𝐾𝑛1subscriptπ‘Žπ‘›superscript𝐾𝑛01\frac{{\lfloor Ka_{1}\rfloor}}{K}+\frac{{\lfloor Ka_{2}\rfloor}}{K^{2}}+\ldots+\frac{{\lfloor Ka_{n-1}\rfloor}}{K^{n-1}}+\frac{a_{n}}{K^{n}}\in[0,1)divide start_ARG ⌊ italic_K italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT βŒ‹ end_ARG start_ARG italic_K end_ARG + divide start_ARG ⌊ italic_K italic_a start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT βŒ‹ end_ARG start_ARG italic_K start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG + … + divide start_ARG ⌊ italic_K italic_a start_POSTSUBSCRIPT italic_n - 1 end_POSTSUBSCRIPT βŒ‹ end_ARG start_ARG italic_K start_POSTSUPERSCRIPT italic_n - 1 end_POSTSUPERSCRIPT end_ARG + divide start_ARG italic_a start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT end_ARG start_ARG italic_K start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT end_ARG ∈ [ 0 , 1 ). An equivalent way to describe f𝑓fitalic_f is the following. For a real r∈[0,1)π‘Ÿ01r\in[0,1)italic_r ∈ [ 0 , 1 ) let r1,…,rnβˆ’1∈{0,1K,…,Kβˆ’1K}subscriptπ‘Ÿ1…subscriptπ‘Ÿπ‘›101𝐾…𝐾1𝐾r_{1},\ldots,r_{n-1}\in\{0,\frac{1}{K},\ldots,\frac{K-1}{K}\}italic_r start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_r start_POSTSUBSCRIPT italic_n - 1 end_POSTSUBSCRIPT ∈ { 0 , divide start_ARG 1 end_ARG start_ARG italic_K end_ARG , … , divide start_ARG italic_K - 1 end_ARG start_ARG italic_K end_ARG } and rn∈[0,1)subscriptπ‘Ÿπ‘›01r_{n}\in[0,1)italic_r start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT ∈ [ 0 , 1 ) be the unique numbers such that r=r1+1K⁒r2+…+1Knβˆ’2⁒rnβˆ’1+1Knβˆ’1⁒rnπ‘Ÿsubscriptπ‘Ÿ11𝐾subscriptπ‘Ÿ2…1superscript𝐾𝑛2subscriptπ‘Ÿπ‘›11superscript𝐾𝑛1subscriptπ‘Ÿπ‘›r=r_{1}+\frac{1}{K}r_{2}+\ldots+\frac{1}{K^{n-2}}r_{n-1}+\frac{1}{K^{n-1}}r_{n}italic_r = italic_r start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT + divide start_ARG 1 end_ARG start_ARG italic_K end_ARG italic_r start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT + … + divide start_ARG 1 end_ARG start_ARG italic_K start_POSTSUPERSCRIPT italic_n - 2 end_POSTSUPERSCRIPT end_ARG italic_r start_POSTSUBSCRIPT italic_n - 1 end_POSTSUBSCRIPT + divide start_ARG 1 end_ARG start_ARG italic_K start_POSTSUPERSCRIPT italic_n - 1 end_POSTSUPERSCRIPT end_ARG italic_r start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT. The set of points that are mapped to rπ‘Ÿritalic_r is given by

    S⁒(r):={βˆ‘i=1nai⁒vi*|βˆ€i∈[nβˆ’1]⁒ai∈[ri,ri+1K]⁒and⁒an=rn}.assignπ‘†π‘Ÿconditional-setsuperscriptsubscript𝑖1𝑛subscriptπ‘Žπ‘–subscriptsuperscript𝑣𝑖for-all𝑖delimited-[]𝑛1subscriptπ‘Žπ‘–subscriptπ‘Ÿπ‘–subscriptπ‘Ÿπ‘–1𝐾andsubscriptπ‘Žπ‘›subscriptπ‘Ÿπ‘›S(r):=\{\sum_{i=1}^{n}a_{i}v^{*}_{i}~{}|~{}\forall i\in[n-1]~{}a_{i}\in[r_{i},r_{i}+\frac{1}{K}]~{}\mbox{and}~{}a_{n}=r_{n}\}.italic_S ( italic_r ) := { βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT italic_v start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT | βˆ€ italic_i ∈ [ italic_n - 1 ] italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ∈ [ italic_r start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , italic_r start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT + divide start_ARG 1 end_ARG start_ARG italic_K end_ARG ] and italic_a start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT = italic_r start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT } .

    Hence, S⁒(r)π‘†π‘ŸS(r)italic_S ( italic_r ) is an nβˆ’1𝑛1n-1italic_n - 1 dimensional parallelepiped whose diameter is at most 1Kβ’βˆ‘i=1nβˆ’1β€–vi*β€–1𝐾superscriptsubscript𝑖1𝑛1normsubscriptsuperscript𝑣𝑖\frac{1}{K}\sum_{i=1}^{n-1}{\|v^{*}_{i}\|}divide start_ARG 1 end_ARG start_ARG italic_K end_ARG βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_n - 1 end_POSTSUPERSCRIPT βˆ₯ italic_v start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT βˆ₯. Let w𝑀witalic_w denote the vector v1*+K⁒v2*+…+Knβˆ’1⁒vn*subscriptsuperscript𝑣1𝐾subscriptsuperscript𝑣2…superscript𝐾𝑛1subscriptsuperscript𝑣𝑛v^{*}_{1}+Kv^{*}_{2}+\ldots+K^{n-1}v^{*}_{n}italic_v start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT + italic_K italic_v start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT + … + italic_K start_POSTSUPERSCRIPT italic_n - 1 end_POSTSUPERSCRIPT italic_v start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT. Then, it is easy to see that for any r∈[0,1)π‘Ÿ01r\in[0,1)italic_r ∈ [ 0 , 1 ) the point r⁒wπ‘Ÿπ‘€rwitalic_r italic_w reduced modulo 𝒫⁒(L*)𝒫superscript𝐿{\cal P}(L^{*})caligraphic_P ( italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT ) is contained in S⁒(r)π‘†π‘ŸS(r)italic_S ( italic_r ). The line connecting the origin with w𝑀witalic_w reduced modulo 𝒫⁒(L*)𝒫superscript𝐿{\cal P}(L^{*})caligraphic_P ( italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT ) goes through the parallelepiped Knβˆ’1superscript𝐾𝑛1K^{n-1}italic_K start_POSTSUPERSCRIPT italic_n - 1 end_POSTSUPERSCRIPT times. The mapping f𝑓fitalic_f essentially takes each point in 𝒫⁒(L*)𝒫superscript𝐿{\cal P}(L^{*})caligraphic_P ( italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT ) to a nearby point on the line (see FigureΒ 2).

    Refer to captionRefer to captionRefer to captionRefer to caption\begin{array}[]{c@{\hspace{10mm}}c}\epsfbox{line_in_ppd_2d.eps}\hfil\hskip 28.45274pt&\epsfbox{line_in_ppd_3d.eps}\end{array}start_ARRAY start_ROW start_CELL end_CELL start_CELL end_CELL end_ROW end_ARRAY

    Figure 2: The line connecting the origin to w𝑀witalic_w with K=4𝐾4K=4italic_K = 4 in two dimensions with 𝒫⁒(v1,v2)𝒫subscript𝑣1subscript𝑣2{\cal P}(v_{1},v_{2})caligraphic_P ( italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , italic_v start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT ) and in three dimensions with the unit cube.

The reduction works by sampling a point from the given distribution on 𝒫⁒(L*)𝒫superscript𝐿{\cal P}(L^{*})caligraphic_P ( italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT ) and applying f𝑓fitalic_f, thereby obtaining a distribution on [0,1)01[0,1)[ 0 , 1 ). Notice that f𝑓fitalic_f can be computed efficiently. Clearly, by starting from a uniform distribution on 𝒫⁒(L*)𝒫superscript𝐿{\cal P}(L^{*})caligraphic_P ( italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT ) we obtain the uniform distribution on [0,1)01[0,1)[ 0 , 1 ). Hence, it is enough to consider TL*,τ⁒(L)subscript𝑇superscript𝐿𝜏𝐿T_{L^{*},\tau(L)}italic_T start_POSTSUBSCRIPT italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT , italic_Ο„ ( italic_L ) end_POSTSUBSCRIPT. The distribution that we get on [0,1)01[0,1)[ 0 , 1 ) is given by:

T1⁒(r):=d⁒(L*)vol⁒(S⁒(r))⁒∫S⁒(r)TL*,τ⁒(L)⁒(x)⁒𝑑xassignsubscript𝑇1π‘Ÿπ‘‘superscript𝐿volπ‘†π‘Ÿsubscriptπ‘†π‘Ÿsubscript𝑇superscript𝐿𝜏𝐿π‘₯differential-dπ‘₯T_{1}(r):=\frac{d(L^{*})}{\mathrm{vol}(S(r))}\int_{S(r)}T_{L^{*},\tau(L)}(x)dxitalic_T start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT ( italic_r ) := divide start_ARG italic_d ( italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT ) end_ARG start_ARG roman_vol ( italic_S ( italic_r ) ) end_ARG ∫ start_POSTSUBSCRIPT italic_S ( italic_r ) end_POSTSUBSCRIPT italic_T start_POSTSUBSCRIPT italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT , italic_Ο„ ( italic_L ) end_POSTSUBSCRIPT ( italic_x ) italic_d italic_x

which is d⁒(L*)𝑑superscript𝐿d(L^{*})italic_d ( italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT ) times the average of TL*,τ⁒(L)subscript𝑇superscript𝐿𝜏𝐿T_{L^{*},\tau(L)}italic_T start_POSTSUBSCRIPT italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT , italic_Ο„ ( italic_L ) end_POSTSUBSCRIPT over S⁒(r)π‘†π‘ŸS(r)italic_S ( italic_r ). We claim that by choosing K𝐾Kitalic_K to be large enough this average is very close to its value in r⁒w∈S⁒(r)π‘Ÿπ‘€π‘†π‘Ÿrw\in S(r)italic_r italic_w ∈ italic_S ( italic_r ). More formally, we claim that T1⁒(r)subscript𝑇1π‘ŸT_{1}(r)italic_T start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT ( italic_r ) is exponentially close to

T|βŸ¨Ο„β’(L),w⟩|,λ⁒(L)2⁒(r)=1λ⁒(L)β’βˆ‘kβˆˆβ„€eβˆ’Ο€β’(k+rβ’βŸ¨Ο„β’(L),w⟩λ⁒(L))2=d⁒(L*)⁒TL*,τ⁒(L)⁒(r⁒w)subscriptπ‘‡πœπΏπ‘€πœ†superscript𝐿2π‘Ÿ1πœ†πΏsubscriptπ‘˜β„€superscriptπ‘’πœ‹superscriptπ‘˜π‘ŸπœπΏπ‘€πœ†πΏ2𝑑superscript𝐿subscript𝑇superscriptπΏπœπΏπ‘Ÿπ‘€\displaystyle T_{|{\langle{\tau(L),w}\rangle}|,\lambda(L)^{2}}(r)=\frac{1}{\lambda(L)}\sum_{k\in{\mathbb{Z}}}e^{-\pi(\frac{k+r{\langle{\tau(L),w}\rangle}}{\lambda(L)})^{2}}=d(L^{*})T_{L^{*},\tau(L)}(rw)italic_T start_POSTSUBSCRIPT | ⟨ italic_Ο„ ( italic_L ) , italic_w ⟩ | , italic_Ξ» ( italic_L ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUBSCRIPT ( italic_r ) = divide start_ARG 1 end_ARG start_ARG italic_Ξ» ( italic_L ) end_ARG βˆ‘ start_POSTSUBSCRIPT italic_k ∈ blackboard_Z end_POSTSUBSCRIPT italic_e start_POSTSUPERSCRIPT - italic_Ο€ ( divide start_ARG italic_k + italic_r ⟨ italic_Ο„ ( italic_L ) , italic_w ⟩ end_ARG start_ARG italic_Ξ» ( italic_L ) end_ARG ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT = italic_d ( italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT ) italic_T start_POSTSUBSCRIPT italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT , italic_Ο„ ( italic_L ) end_POSTSUBSCRIPT ( italic_r italic_w )

where in the first equality we used the fact that βŸ¨Ο„β’(L),wβŸ©πœπΏπ‘€{\langle{\tau(L),w}\rangle}⟨ italic_Ο„ ( italic_L ) , italic_w ⟩ is integer and that the function does not change if we change the sign of βŸ¨Ο„β’(L),wβŸ©πœπΏπ‘€{\langle{\tau(L),w}\rangle}⟨ italic_Ο„ ( italic_L ) , italic_w ⟩.

By using the mean value theorem we get that for any r∈[0,1)π‘Ÿ01r\in[0,1)italic_r ∈ [ 0 , 1 ) the difference between the maximum and the minimum values of TL*,τ⁒(L)subscript𝑇superscript𝐿𝜏𝐿T_{L^{*},\tau(L)}italic_T start_POSTSUBSCRIPT italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT , italic_Ο„ ( italic_L ) end_POSTSUBSCRIPT over S⁒(r)π‘†π‘ŸS(r)italic_S ( italic_r ) is at most:

diam⁒(S⁒(x))β‹…maxx⁑dd⁒x⁒(d⁒(L)λ⁒(L)β’βˆ‘kβˆˆβ„€eβˆ’Ο€β’(k+λ⁒(L)⁒xλ⁒(L))2)≀c~β‹…1Kβ’βˆ‘i=1nβˆ’1β€–vi*β€–β‹…d⁒(L)λ⁒(L)β‹…diam𝑆π‘₯subscriptπ‘₯𝑑𝑑π‘₯π‘‘πΏπœ†πΏsubscriptπ‘˜β„€superscriptπ‘’πœ‹superscriptπ‘˜πœ†πΏπ‘₯πœ†πΏ2β‹…~𝑐1𝐾superscriptsubscript𝑖1𝑛1β‹…normsubscriptsuperscriptπ‘£π‘–π‘‘πΏπœ†πΏ\displaystyle\mathrm{diam}(S(x))\cdot\max_{x}\frac{d}{dx}(\frac{d(L)}{\lambda(L)}\sum_{k\in{\mathbb{Z}}}e^{-\pi(\frac{k+\lambda(L)x}{\lambda(L)})^{2}})\leq{\tilde{c}}\cdot\frac{1}{K}\sum_{i=1}^{n-1}{\|v^{*}_{i}\|}\cdot\frac{d(L)}{\lambda(L)}roman_diam ( italic_S ( italic_x ) ) β‹… roman_max start_POSTSUBSCRIPT italic_x end_POSTSUBSCRIPT divide start_ARG italic_d end_ARG start_ARG italic_d italic_x end_ARG ( divide start_ARG italic_d ( italic_L ) end_ARG start_ARG italic_Ξ» ( italic_L ) end_ARG βˆ‘ start_POSTSUBSCRIPT italic_k ∈ blackboard_Z end_POSTSUBSCRIPT italic_e start_POSTSUPERSCRIPT - italic_Ο€ ( divide start_ARG italic_k + italic_Ξ» ( italic_L ) italic_x end_ARG start_ARG italic_Ξ» ( italic_L ) end_ARG ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT ) ≀ over~ start_ARG italic_c end_ARG β‹… divide start_ARG 1 end_ARG start_ARG italic_K end_ARG βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_n - 1 end_POSTSUPERSCRIPT βˆ₯ italic_v start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT βˆ₯ β‹… divide start_ARG italic_d ( italic_L ) end_ARG start_ARG italic_Ξ» ( italic_L ) end_ARG

where the inequality is due to ClaimΒ A.3 and the assumption that λ⁒(L)≀2⁒ng⁒(n)≀12πœ†πΏ2𝑛𝑔𝑛12\lambda(L)\leq\frac{2\sqrt{n}}{g(n)}\leq\frac{1}{2}italic_Ξ» ( italic_L ) ≀ divide start_ARG 2 square-root start_ARG italic_n end_ARG end_ARG start_ARG italic_g ( italic_n ) end_ARG ≀ divide start_ARG 1 end_ARG start_ARG 2 end_ARG. Hence, using ClaimΒ A.8,

βˆ€r∈[0,1)⁒|T1⁒(r)βˆ’T|βŸ¨Ο„β’(L),w⟩|,λ⁒(L)2⁒(r)|for-allπ‘Ÿ01subscript𝑇1π‘Ÿsubscriptπ‘‡πœπΏπ‘€πœ†superscript𝐿2π‘Ÿ\displaystyle\forall r\in[0,1)~{}~{}{\left|{T_{1}(r)-T_{|{\langle{\tau(L),w}\rangle}|,\lambda(L)^{2}}(r)}\right|}βˆ€ italic_r ∈ [ 0 , 1 ) | italic_T start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT ( italic_r ) - italic_T start_POSTSUBSCRIPT | ⟨ italic_Ο„ ( italic_L ) , italic_w ⟩ | , italic_Ξ» ( italic_L ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUBSCRIPT ( italic_r ) | ≀\displaystyle\leq≀ d⁒(L*)β‹…c~β‹…1Kβ’βˆ‘i=1nβˆ’1β€–vi*β€–β‹…d⁒(L)λ⁒(L)=c~β‹…1Kβ’βˆ‘i=1nβˆ’1β€–vi*β€–β‹…1λ⁒(L)⋅𝑑superscript𝐿~𝑐1𝐾superscriptsubscript𝑖1𝑛1β‹…normsubscriptsuperscriptπ‘£π‘–π‘‘πΏπœ†πΏβ‹…~𝑐1𝐾superscriptsubscript𝑖1𝑛1β‹…normsubscriptsuperscript𝑣𝑖1πœ†πΏ\displaystyle d(L^{*})\cdot{\tilde{c}}\cdot\frac{1}{K}\sum_{i=1}^{n-1}{\|v^{*}_{i}\|}\cdot\frac{d(L)}{\lambda(L)}={\tilde{c}}\cdot\frac{1}{K}\sum_{i=1}^{n-1}{\|v^{*}_{i}\|}\cdot\frac{1}{\lambda(L)}italic_d ( italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT ) β‹… over~ start_ARG italic_c end_ARG β‹… divide start_ARG 1 end_ARG start_ARG italic_K end_ARG βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_n - 1 end_POSTSUPERSCRIPT βˆ₯ italic_v start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT βˆ₯ β‹… divide start_ARG italic_d ( italic_L ) end_ARG start_ARG italic_Ξ» ( italic_L ) end_ARG = over~ start_ARG italic_c end_ARG β‹… divide start_ARG 1 end_ARG start_ARG italic_K end_ARG βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_n - 1 end_POSTSUPERSCRIPT βˆ₯ italic_v start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT βˆ₯ β‹… divide start_ARG 1 end_ARG start_ARG italic_Ξ» ( italic_L ) end_ARG
≀\displaystyle\leq≀ c~β‹…1Kβ‹…nβ‹…nλ⁒(L)β‹…22⁒nβ‹…1λ⁒(L)≀c~β‹…1Kβ‹…22⁒nβ‹…p⁒o⁒l⁒y⁒(n)β‹…~𝑐1πΎπ‘›π‘›πœ†πΏsuperscript22𝑛1πœ†πΏβ‹…~𝑐1𝐾superscript22π‘›π‘π‘œπ‘™π‘¦π‘›\displaystyle{\tilde{c}}\cdot\frac{1}{K}\cdot n\cdot\frac{\sqrt{n}}{\lambda(L)}\cdot 2^{2n}\cdot\frac{1}{\lambda(L)}\leq{\tilde{c}}\cdot\frac{1}{K}\cdot 2^{2n}\cdot poly(n)over~ start_ARG italic_c end_ARG β‹… divide start_ARG 1 end_ARG start_ARG italic_K end_ARG β‹… italic_n β‹… divide start_ARG square-root start_ARG italic_n end_ARG end_ARG start_ARG italic_Ξ» ( italic_L ) end_ARG β‹… 2 start_POSTSUPERSCRIPT 2 italic_n end_POSTSUPERSCRIPT β‹… divide start_ARG 1 end_ARG start_ARG italic_Ξ» ( italic_L ) end_ARG ≀ over~ start_ARG italic_c end_ARG β‹… divide start_ARG 1 end_ARG start_ARG italic_K end_ARG β‹… 2 start_POSTSUPERSCRIPT 2 italic_n end_POSTSUPERSCRIPT β‹… italic_p italic_o italic_l italic_y ( italic_n )

and by choosing K=23⁒n𝐾superscript23𝑛K=2^{3n}italic_K = 2 start_POSTSUPERSCRIPT 3 italic_n end_POSTSUPERSCRIPT we get that the statistical distance between T1subscript𝑇1T_{1}italic_T start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT and T|βŸ¨Ο„β’(L),w⟩|,λ⁒(L)2subscriptπ‘‡πœπΏπ‘€πœ†superscript𝐿2T_{|{\langle{\tau(L),w}\rangle}|,\lambda(L)^{2}}italic_T start_POSTSUBSCRIPT | ⟨ italic_Ο„ ( italic_L ) , italic_w ⟩ | , italic_Ξ» ( italic_L ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUBSCRIPT is exponentially small.

Recall that w=βˆ‘i=1nKiβˆ’1⁒vi*𝑀superscriptsubscript𝑖1𝑛superscript𝐾𝑖1subscriptsuperscript𝑣𝑖w=\sum_{i=1}^{n}K^{i-1}v^{*}_{i}italic_w = βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT italic_K start_POSTSUPERSCRIPT italic_i - 1 end_POSTSUPERSCRIPT italic_v start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT and τ⁒(L)=βˆ‘i=1nai⁒vi𝜏𝐿superscriptsubscript𝑖1𝑛subscriptπ‘Žπ‘–subscript𝑣𝑖\tau(L)=\sum_{i=1}^{n}a_{i}v_{i}italic_Ο„ ( italic_L ) = βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT where all |ai|≀22⁒nsubscriptπ‘Žπ‘–superscript22𝑛|a_{i}|\leq 2^{2n}| italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT | ≀ 2 start_POSTSUPERSCRIPT 2 italic_n end_POSTSUPERSCRIPT. Since ⟨vi,vj*⟩=Ξ΄i⁒jsubscript𝑣𝑖subscriptsuperscript𝑣𝑗subscript𝛿𝑖𝑗{\langle{v_{i},v^{*}_{j}}\rangle}=\delta_{ij}⟨ italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , italic_v start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT ⟩ = italic_Ξ΄ start_POSTSUBSCRIPT italic_i italic_j end_POSTSUBSCRIPT, the inner product βŸ¨Ο„β’(L),wβŸ©πœπΏπ‘€{\langle{\tau(L),w}\rangle}⟨ italic_Ο„ ( italic_L ) , italic_w ⟩ is integer and its absolute value is at most nβ‹…22⁒nβ‹…Kn≀2c𝗁⁒n2⋅𝑛superscript22𝑛superscript𝐾𝑛superscript2subscript𝑐𝗁superscript𝑛2n\cdot 2^{2n}\cdot K^{n}\leq 2^{{c_{\sf{h}}}n^{2}}italic_n β‹… 2 start_POSTSUPERSCRIPT 2 italic_n end_POSTSUPERSCRIPT β‹… italic_K start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT ≀ 2 start_POSTSUPERSCRIPT italic_c start_POSTSUBSCRIPT sansserif_h end_POSTSUBSCRIPT italic_n start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT for a large enough c𝗁subscript𝑐𝗁{c_{\sf{h}}}italic_c start_POSTSUBSCRIPT sansserif_h end_POSTSUBSCRIPT, as required. Β 

5 Analysis of the Public Key Cryptosystem

Lemma 5.1 (Correctness)

The probability of a decryption error is at most 2βˆ’Ξ©β’((γ⁒(n))2m)superscript2normal-Ξ©superscript𝛾𝑛2π‘š2^{-\Omega(\frac{(\gamma(n))^{2}}{m})}2 start_POSTSUPERSCRIPT - roman_Ξ© ( divide start_ARG ( italic_Ξ³ ( italic_n ) ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG start_ARG italic_m end_ARG ) end_POSTSUPERSCRIPT plus some exponentially small terms.

Note that the above probability is negligible since γ⁒(n)=ω⁒(n⁒log⁑n)π›Ύπ‘›πœ”π‘›π‘›\gamma(n)=\omega(n\sqrt{\log n})italic_Ξ³ ( italic_n ) = italic_Ο‰ ( italic_n square-root start_ARG roman_log italic_n end_ARG ).

  • Proof:

    First consider an encryption of the bit 00. Probabilities are taken over the choices of the private and public keys and the randomization in the encryption process. Let S𝑆Sitalic_S denote the subset of indices which are included in the sum and let w:=βˆ‘i∈Sai⁒mod⁒Nassign𝑀subscript𝑖𝑆subscriptπ‘Žπ‘–mod𝑁w:=\sum_{i\in S}a_{i}~{}\mathrm{mod}~{}Nitalic_w := βˆ‘ start_POSTSUBSCRIPT italic_i ∈ italic_S end_POSTSUBSCRIPT italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT roman_mod italic_N. Since βˆ‘i∈Sai≀mβ‹…Nsubscript𝑖𝑆subscriptπ‘Žπ‘–β‹…π‘šπ‘\sum_{i\in S}a_{i}\leq m\cdot Nβˆ‘ start_POSTSUBSCRIPT italic_i ∈ italic_S end_POSTSUBSCRIPT italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ≀ italic_m β‹… italic_N,

    |wβˆ’(βˆ‘i∈Saimodd⌊hβŒ‰)|≀mβ‹…|Nβˆ’d⌊hβŒ‰|=mβ‹…dβ‹…frc(h)<116d{\left|{w-(\sum_{i\in S}a_{i}~{}\mathrm{mod}~{}d{\lfloor h\rceil})}\right|}\leq m\cdot|N-d{\lfloor h\rceil}|=m\cdot d\cdot\mathrm{frc}(h)<\frac{1}{16}d| italic_w - ( βˆ‘ start_POSTSUBSCRIPT italic_i ∈ italic_S end_POSTSUBSCRIPT italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT roman_mod italic_d ⌊ italic_h βŒ‰ ) | ≀ italic_m β‹… | italic_N - italic_d ⌊ italic_h βŒ‰ | = italic_m β‹… italic_d β‹… roman_frc ( italic_h ) < divide start_ARG 1 end_ARG start_ARG 16 end_ARG italic_d

    and by the triangle inequality,

    frc⁒(wd)<116+frc⁒(βˆ‘i∈Saimodd⌊hβŒ‰d)=116+frc⁒(βˆ‘i∈Said)<116+md+frc⁒(Ndβ’βˆ‘i∈Szi)\mathrm{frc}(\frac{w}{d})<\frac{1}{16}+\mathrm{frc}(\frac{\sum_{i\in S}a_{i}~{}\mathrm{mod}~{}d{\lfloor h\rceil}}{d})=\frac{1}{16}+\mathrm{frc}(\frac{\sum_{i\in S}a_{i}}{d})<\frac{1}{16}+\frac{m}{d}+\mathrm{frc}(\frac{N}{d}\sum_{i\in S}z_{i})roman_frc ( divide start_ARG italic_w end_ARG start_ARG italic_d end_ARG ) < divide start_ARG 1 end_ARG start_ARG 16 end_ARG + roman_frc ( divide start_ARG βˆ‘ start_POSTSUBSCRIPT italic_i ∈ italic_S end_POSTSUBSCRIPT italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT roman_mod italic_d ⌊ italic_h βŒ‰ end_ARG start_ARG italic_d end_ARG ) = divide start_ARG 1 end_ARG start_ARG 16 end_ARG + roman_frc ( divide start_ARG βˆ‘ start_POSTSUBSCRIPT italic_i ∈ italic_S end_POSTSUBSCRIPT italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT end_ARG start_ARG italic_d end_ARG ) < divide start_ARG 1 end_ARG start_ARG 16 end_ARG + divide start_ARG italic_m end_ARG start_ARG italic_d end_ARG + roman_frc ( divide start_ARG italic_N end_ARG start_ARG italic_d end_ARG βˆ‘ start_POSTSUBSCRIPT italic_i ∈ italic_S end_POSTSUBSCRIPT italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT )

    where the last inequality uses |Nβ‹…ziβˆ’ai|<1⋅𝑁subscript𝑧𝑖subscriptπ‘Žπ‘–1|N\cdot z_{i}-a_{i}|<1| italic_N β‹… italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT - italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT | < 1. Notice that frc⁒(Ndβ’βˆ‘i∈Szi)=frc⁒(βˆ‘i∈S(xi+yi))=frc⁒(βˆ‘i∈Syi)frc𝑁𝑑subscript𝑖𝑆subscript𝑧𝑖frcsubscript𝑖𝑆subscriptπ‘₯𝑖subscript𝑦𝑖frcsubscript𝑖𝑆subscript𝑦𝑖\mathrm{frc}(\frac{N}{d}\sum_{i\in S}z_{i})=\mathrm{frc}(\sum_{i\in S}(x_{i}+y_{i}))=\mathrm{frc}(\sum_{i\in S}y_{i})roman_frc ( divide start_ARG italic_N end_ARG start_ARG italic_d end_ARG βˆ‘ start_POSTSUBSCRIPT italic_i ∈ italic_S end_POSTSUBSCRIPT italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ) = roman_frc ( βˆ‘ start_POSTSUBSCRIPT italic_i ∈ italic_S end_POSTSUBSCRIPT ( italic_x start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT + italic_y start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ) ) = roman_frc ( βˆ‘ start_POSTSUBSCRIPT italic_i ∈ italic_S end_POSTSUBSCRIPT italic_y start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ). Hence,

    frc⁒(wd)<116+md+frc⁒(βˆ‘i∈Syi)<18+frc⁒(βˆ‘i∈Syi)frc𝑀𝑑116π‘šπ‘‘frcsubscript𝑖𝑆subscript𝑦𝑖18frcsubscript𝑖𝑆subscript𝑦𝑖\mathrm{frc}(\frac{w}{d})<\frac{1}{16}+\frac{m}{d}+\mathrm{frc}(\sum_{i\in S}y_{i})<\frac{1}{8}+\mathrm{frc}(\sum_{i\in S}y_{i})roman_frc ( divide start_ARG italic_w end_ARG start_ARG italic_d end_ARG ) < divide start_ARG 1 end_ARG start_ARG 16 end_ARG + divide start_ARG italic_m end_ARG start_ARG italic_d end_ARG + roman_frc ( βˆ‘ start_POSTSUBSCRIPT italic_i ∈ italic_S end_POSTSUBSCRIPT italic_y start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ) < divide start_ARG 1 end_ARG start_ARG 8 end_ARG + roman_frc ( βˆ‘ start_POSTSUBSCRIPT italic_i ∈ italic_S end_POSTSUBSCRIPT italic_y start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT )

    where we used the fact that d𝑑ditalic_d is much larger than mπ‘šmitalic_m. With probability exponentially close to 1111, all xisubscriptπ‘₯𝑖x_{i}italic_x start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT’s are strictly less than ⌈hβŒ‰βˆ’1β„Ž1{\lceil h\rceil}-1⌈ italic_h βŒ‰ - 1. Conditioned on that, the distribution of yisubscript𝑦𝑖y_{i}italic_y start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT is QΞ²subscript𝑄𝛽Q_{\beta}italic_Q start_POSTSUBSCRIPT italic_Ξ² end_POSTSUBSCRIPT and the distribution of βˆ‘i∈Syi⁒mod⁒1subscript𝑖𝑆subscript𝑦𝑖mod1\sum_{i\in S}y_{i}~{}\mathrm{mod}~{}1βˆ‘ start_POSTSUBSCRIPT italic_i ∈ italic_S end_POSTSUBSCRIPT italic_y start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT roman_mod 1 is Q|S|⁒βsubscript𝑄𝑆𝛽Q_{|S|\beta}italic_Q start_POSTSUBSCRIPT | italic_S | italic_Ξ² end_POSTSUBSCRIPT where |S|⁒β≀mβ‹…Ξ²=O⁒(m(γ⁒(n))2)π‘†π›½β‹…π‘šπ›½π‘‚π‘šsuperscript𝛾𝑛2|S|\beta\leq m\cdot\beta=O(\frac{m}{(\gamma(n))^{2}})| italic_S | italic_Ξ² ≀ italic_m β‹… italic_Ξ² = italic_O ( divide start_ARG italic_m end_ARG start_ARG ( italic_Ξ³ ( italic_n ) ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG ). Therefore, according to ClaimΒ A.1, the probability of frc⁒(βˆ‘i∈Syi)>116frcsubscript𝑖𝑆subscript𝑦𝑖116\mathrm{frc}(\sum_{i\in S}y_{i})>\frac{1}{16}roman_frc ( βˆ‘ start_POSTSUBSCRIPT italic_i ∈ italic_S end_POSTSUBSCRIPT italic_y start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ) > divide start_ARG 1 end_ARG start_ARG 16 end_ARG is at most 2βˆ’Ξ©β’(γ⁒(n)m)superscript2Ξ©π›Ύπ‘›π‘š2^{-\Omega(\frac{\gamma(n)}{m})}2 start_POSTSUPERSCRIPT - roman_Ξ© ( divide start_ARG italic_Ξ³ ( italic_n ) end_ARG start_ARG italic_m end_ARG ) end_POSTSUPERSCRIPT and hence

    frc⁒(wd)<18+116frc𝑀𝑑18116\mathrm{frc}(\frac{w}{d})<\frac{1}{8}+\frac{1}{16}roman_frc ( divide start_ARG italic_w end_ARG start_ARG italic_d end_ARG ) < divide start_ARG 1 end_ARG start_ARG 8 end_ARG + divide start_ARG 1 end_ARG start_ARG 16 end_ARG (3)

    which is less than 1414\frac{1}{4}divide start_ARG 1 end_ARG start_ARG 4 end_ARG, as required.

    The proof for the case of an encryption of 1111 is similar. By using the fact that xi0subscriptπ‘₯subscript𝑖0x_{i_{0}}italic_x start_POSTSUBSCRIPT italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT end_POSTSUBSCRIPT is odd and that with probability exponentially close to 1111, frc⁒(yi0)<116frcsubscript𝑦subscript𝑖0116\mathrm{frc}(y_{i_{0}})<\frac{1}{16}roman_frc ( italic_y start_POSTSUBSCRIPT italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT end_POSTSUBSCRIPT ) < divide start_ARG 1 end_ARG start_ARG 16 end_ARG we get frc⁒(⌊ai0/2βŒ‹d)>12βˆ’132βˆ’1dfrcsubscriptπ‘Žsubscript𝑖02𝑑121321𝑑\mathrm{frc}(\frac{{\lfloor a_{i_{0}}/2\rfloor}}{d})>\frac{1}{2}-\frac{1}{32}-\frac{1}{d}roman_frc ( divide start_ARG ⌊ italic_a start_POSTSUBSCRIPT italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT end_POSTSUBSCRIPT / 2 βŒ‹ end_ARG start_ARG italic_d end_ARG ) > divide start_ARG 1 end_ARG start_ARG 2 end_ARG - divide start_ARG 1 end_ARG start_ARG 32 end_ARG - divide start_ARG 1 end_ARG start_ARG italic_d end_ARG. This, combined with (3) gives

    frc⁒(wd)>frc⁒(⌊ai0/2βŒ‹d)βˆ’18βˆ’116>14frc𝑀𝑑frcsubscriptπ‘Žsubscript𝑖02𝑑1811614\mathrm{frc}(\frac{w}{d})>\mathrm{frc}(\frac{{\lfloor a_{i_{0}}/2\rfloor}}{d})-\frac{1}{8}-\frac{1}{16}>\frac{1}{4}roman_frc ( divide start_ARG italic_w end_ARG start_ARG italic_d end_ARG ) > roman_frc ( divide start_ARG ⌊ italic_a start_POSTSUBSCRIPT italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT end_POSTSUBSCRIPT / 2 βŒ‹ end_ARG start_ARG italic_d end_ARG ) - divide start_ARG 1 end_ARG start_ARG 8 end_ARG - divide start_ARG 1 end_ARG start_ARG 16 end_ARG > divide start_ARG 1 end_ARG start_ARG 4 end_ARG

    and the proof is completed. Β 

Before establishing the security of the construction, let us prove a few simple claims.

Claim 5.2

For any hβˆˆβ„•,Ξ²βˆˆβ„formulae-sequenceβ„Žβ„•π›½β„h\in\mathbb{N},\beta\in\mathbb{R}italic_h ∈ blackboard_N , italic_Ξ² ∈ blackboard_R, let X,Yπ‘‹π‘ŒX,Yitalic_X , italic_Y be two independent random variables; X𝑋Xitalic_X is distributed uniformly over {0,1h,…,hβˆ’1h}01β„Žnormal-β€¦β„Ž1β„Ž\{0,\frac{1}{h},\ldots,\frac{h-1}{h}\}{ 0 , divide start_ARG 1 end_ARG start_ARG italic_h end_ARG , … , divide start_ARG italic_h - 1 end_ARG start_ARG italic_h end_ARG } and Yπ‘ŒYitalic_Y is normal with mean 0 and variance Ξ²2⁒π⁒h2𝛽2πœ‹superscriptβ„Ž2\frac{\beta}{2\pi h^{2}}divide start_ARG italic_Ξ² end_ARG start_ARG 2 italic_Ο€ italic_h start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG. Then Th,Ξ²subscriptπ‘‡β„Žπ›½T_{h,\beta}italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT is equivalent to the distribution of the sum of X𝑋Xitalic_X and Yπ‘ŒYitalic_Y reduced modulo 1111.

  • Proof:
    Th,β⁒(r)subscriptπ‘‡β„Žπ›½π‘Ÿ\displaystyle T_{h,\beta}(r)italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT ( italic_r ) =\displaystyle== Qβ⁒(h⁒r⁒mod⁒1)=βˆ‘k=βˆ’βˆžβˆž1β⁒eβˆ’Ο€Ξ²β’(h⁒rβˆ’k)2=subscriptπ‘„π›½β„Žπ‘Ÿmod1superscriptsubscriptπ‘˜1𝛽superscriptπ‘’πœ‹π›½superscriptβ„Žπ‘Ÿπ‘˜2absent\displaystyle Q_{\beta}(hr~{}\mathrm{mod}~{}1)=\sum_{k=-\infty}^{\infty}\frac{1}{\sqrt{\beta}}e^{-\frac{\pi}{\beta}(hr-k)^{2}}=italic_Q start_POSTSUBSCRIPT italic_Ξ² end_POSTSUBSCRIPT ( italic_h italic_r roman_mod 1 ) = βˆ‘ start_POSTSUBSCRIPT italic_k = - ∞ end_POSTSUBSCRIPT start_POSTSUPERSCRIPT ∞ end_POSTSUPERSCRIPT divide start_ARG 1 end_ARG start_ARG square-root start_ARG italic_Ξ² end_ARG end_ARG italic_e start_POSTSUPERSCRIPT - divide start_ARG italic_Ο€ end_ARG start_ARG italic_Ξ² end_ARG ( italic_h italic_r - italic_k ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT =
    βˆ‘l=0hβˆ’1βˆ‘k=βˆ’βˆžβˆž1β⁒eβˆ’Ο€Ξ²β’(h⁒rβˆ’h⁒kβˆ’l)2=βˆ‘l=0hβˆ’11hβ’βˆ‘k=βˆ’βˆžβˆžhβ⁒eβˆ’Ο€β’h2β⁒(rβˆ’kβˆ’lh)2superscriptsubscript𝑙0β„Ž1superscriptsubscriptπ‘˜1𝛽superscriptπ‘’πœ‹π›½superscriptβ„Žπ‘Ÿβ„Žπ‘˜π‘™2superscriptsubscript𝑙0β„Ž11β„Žsuperscriptsubscriptπ‘˜β„Žπ›½superscriptπ‘’πœ‹superscriptβ„Ž2𝛽superscriptπ‘Ÿπ‘˜π‘™β„Ž2\displaystyle\sum_{l=0}^{h-1}\sum_{k=-\infty}^{\infty}\frac{1}{\sqrt{\beta}}e^{-\frac{\pi}{\beta}(hr-hk-l)^{2}}=\sum_{l=0}^{h-1}\frac{1}{h}\sum_{k=-\infty}^{\infty}\frac{h}{\sqrt{\beta}}e^{-\frac{\pi h^{2}}{\beta}(r-k-\frac{l}{h})^{2}}βˆ‘ start_POSTSUBSCRIPT italic_l = 0 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_h - 1 end_POSTSUPERSCRIPT βˆ‘ start_POSTSUBSCRIPT italic_k = - ∞ end_POSTSUBSCRIPT start_POSTSUPERSCRIPT ∞ end_POSTSUPERSCRIPT divide start_ARG 1 end_ARG start_ARG square-root start_ARG italic_Ξ² end_ARG end_ARG italic_e start_POSTSUPERSCRIPT - divide start_ARG italic_Ο€ end_ARG start_ARG italic_Ξ² end_ARG ( italic_h italic_r - italic_h italic_k - italic_l ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT = βˆ‘ start_POSTSUBSCRIPT italic_l = 0 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_h - 1 end_POSTSUPERSCRIPT divide start_ARG 1 end_ARG start_ARG italic_h end_ARG βˆ‘ start_POSTSUBSCRIPT italic_k = - ∞ end_POSTSUBSCRIPT start_POSTSUPERSCRIPT ∞ end_POSTSUPERSCRIPT divide start_ARG italic_h end_ARG start_ARG square-root start_ARG italic_Ξ² end_ARG end_ARG italic_e start_POSTSUPERSCRIPT - divide start_ARG italic_Ο€ italic_h start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG start_ARG italic_Ξ² end_ARG ( italic_r - italic_k - divide start_ARG italic_l end_ARG start_ARG italic_h end_ARG ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT

    Β 

Claim 5.3

For hβˆˆβ„•β„Žβ„•h\in\mathbb{N}italic_h ∈ blackboard_N, Th,Ξ²+Qδ⁒mod⁒1=Th,Ξ²+δ⁒h2subscriptπ‘‡β„Žπ›½subscript𝑄𝛿normal-mod1subscriptπ‘‡β„Žπ›½π›Ώsuperscriptβ„Ž2T_{h,\beta}+Q_{\delta}~{}\mathrm{mod}~{}1=T_{h,\beta+\delta h^{2}}italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT + italic_Q start_POSTSUBSCRIPT italic_Ξ΄ end_POSTSUBSCRIPT roman_mod 1 = italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² + italic_Ξ΄ italic_h start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUBSCRIPT.

  • Proof:

    According to ClaimΒ 5.2, Th,Ξ²subscriptπ‘‡β„Žπ›½T_{h,\beta}italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT can be viewed as the sum of two random variables X𝑋Xitalic_X and Yπ‘ŒYitalic_Y reduced modulo 1111. Therefore, Th,Ξ²+Qδ⁒mod⁒1=X+Y+Qδ⁒mod⁒1subscriptπ‘‡β„Žπ›½subscript𝑄𝛿mod1π‘‹π‘Œsubscript𝑄𝛿mod1T_{h,\beta}+Q_{\delta}~{}\mathrm{mod}~{}1=X+Y+Q_{\delta}~{}\mathrm{mod}~{}1italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT + italic_Q start_POSTSUBSCRIPT italic_Ξ΄ end_POSTSUBSCRIPT roman_mod 1 = italic_X + italic_Y + italic_Q start_POSTSUBSCRIPT italic_Ξ΄ end_POSTSUBSCRIPT roman_mod 1. But since both Yπ‘ŒYitalic_Y and QΞ΄subscript𝑄𝛿Q_{\delta}italic_Q start_POSTSUBSCRIPT italic_Ξ΄ end_POSTSUBSCRIPT are normal, their sum modulo 1 is exactly QΞ²h2+Ξ΄subscript𝑄𝛽superscriptβ„Ž2𝛿Q_{\frac{\beta}{h^{2}}+\delta}italic_Q start_POSTSUBSCRIPT divide start_ARG italic_Ξ² end_ARG start_ARG italic_h start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG + italic_Ξ΄ end_POSTSUBSCRIPT and we conclude the proof by using ClaimΒ 5.2 again. Β 

Definition 5.4

Given a density function X𝑋Xitalic_X on [0,1)01[0,1)[ 0 , 1 ) we define its compression by a factor Ξ΄β‰₯1𝛿1\delta\geq 1italic_Ξ΄ β‰₯ 1 as the distribution on [0,1)01[0,1)[ 0 , 1 ) given by

1∫01X⁒(δ⁒x⁒mod⁒1)⁒𝑑x⁒X⁒(δ⁒r⁒mod⁒1).1superscriptsubscript01𝑋𝛿π‘₯mod1differential-dπ‘₯π‘‹π›Ώπ‘Ÿmod1\frac{1}{\int_{0}^{1}X(\delta x~{}\mathrm{mod}~{}1)dx}X(\delta r~{}\mathrm{mod}~{}1).divide start_ARG 1 end_ARG start_ARG ∫ start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT 1 end_POSTSUPERSCRIPT italic_X ( italic_Ξ΄ italic_x roman_mod 1 ) italic_d italic_x end_ARG italic_X ( italic_Ξ΄ italic_r roman_mod 1 ) .

We denote the result by Cδ⁒(X)subscript𝐢𝛿𝑋C_{\delta}(X)italic_C start_POSTSUBSCRIPT italic_Ξ΄ end_POSTSUBSCRIPT ( italic_X ).

Using the above definition, Th,Ξ²subscriptπ‘‡β„Žπ›½T_{h,\beta}italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT is a compression of QΞ²subscript𝑄𝛽Q_{\beta}italic_Q start_POSTSUBSCRIPT italic_Ξ² end_POSTSUBSCRIPT by a factor of hβ„Žhitalic_h. Notice that if we can sample efficiently from X𝑋Xitalic_X then we can also sample efficiently from its compression. This is done in a way similar to that used to sample from Th,Ξ²subscriptπ‘‡β„Žπ›½T_{h,\beta}italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT.

Claim 5.5

For any hβˆˆβ„•β„Žβ„•h\in\mathbb{N}italic_h ∈ blackboard_N and Ξ΄β‰₯1𝛿1\delta\geq 1italic_Ξ΄ β‰₯ 1, the compression of Th,Ξ²subscriptπ‘‡β„Žπ›½T_{h,\beta}italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT by a factor δ𝛿\deltaitalic_Ξ΄ is Tδ⁒h,Ξ²subscriptπ‘‡π›Ώβ„Žπ›½T_{\delta h,\beta}italic_T start_POSTSUBSCRIPT italic_Ξ΄ italic_h , italic_Ξ² end_POSTSUBSCRIPT.

  • Proof:

    The proof follows directly from the definition of Th,Ξ²subscriptπ‘‡β„Žπ›½T_{h,\beta}italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT. Β 

Claim 5.6

For large enough c𝑐citalic_c, when choosing cβ‹…lnormal-⋅𝑐𝑙c\cdot litalic_c β‹… italic_l numbers a1,…,acβ‹…lsubscriptπ‘Ž1normal-…subscriptπ‘Žnormal-⋅𝑐𝑙a_{1},\ldots,a_{c\cdot l}italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_c β‹… italic_l end_POSTSUBSCRIPT uniformly from 00 to 2lβˆ’1superscript2𝑙12^{l}-12 start_POSTSUPERSCRIPT italic_l end_POSTSUPERSCRIPT - 1 the probability that the statistical distance between the uniform distribution on {0,…,2lβˆ’1}0normal-…superscript2𝑙1\{0,\ldots,2^{l}-1\}{ 0 , … , 2 start_POSTSUPERSCRIPT italic_l end_POSTSUPERSCRIPT - 1 } and the distribution given by sums modulo 2lsuperscript2𝑙2^{l}2 start_POSTSUPERSCRIPT italic_l end_POSTSUPERSCRIPT of random subsets of {a1,…,acβ‹…l}subscriptπ‘Ž1normal-…subscriptπ‘Žnormal-⋅𝑐𝑙\{a_{1},\ldots,a_{c\cdot l}\}{ italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_c β‹… italic_l end_POSTSUBSCRIPT } is more than 2βˆ’lsuperscript2𝑙2^{-l}2 start_POSTSUPERSCRIPT - italic_l end_POSTSUPERSCRIPT is at most 2βˆ’lsuperscript2𝑙2^{-l}2 start_POSTSUPERSCRIPT - italic_l end_POSTSUPERSCRIPT.

  • Proof:

    Let Xt,bsubscript𝑋𝑑𝑏X_{t,b}italic_X start_POSTSUBSCRIPT italic_t , italic_b end_POSTSUBSCRIPT for t∈{0,…,2lβˆ’1},b∈{0,1}cβ‹…lβˆ–0cβ‹…lformulae-sequence𝑑0…superscript2𝑙1𝑏superscript01⋅𝑐𝑙superscript0⋅𝑐𝑙t\in\{0,\ldots,2^{l}-1\},b\in\{0,1\}^{c\cdot l}\setminus 0^{c\cdot l}italic_t ∈ { 0 , … , 2 start_POSTSUPERSCRIPT italic_l end_POSTSUPERSCRIPT - 1 } , italic_b ∈ { 0 , 1 } start_POSTSUPERSCRIPT italic_c β‹… italic_l end_POSTSUPERSCRIPT βˆ– 0 start_POSTSUPERSCRIPT italic_c β‹… italic_l end_POSTSUPERSCRIPT denote the event that βˆ‘i=1cβ‹…lbi⁒ai≑t⁒(mod⁒2l)superscriptsubscript𝑖1⋅𝑐𝑙subscript𝑏𝑖subscriptπ‘Žπ‘–π‘‘modsuperscript2𝑙\sum_{i=1}^{c\cdot l}b_{i}a_{i}\equiv t~{}(\mathrm{mod}~{}2^{l})βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_c β‹… italic_l end_POSTSUPERSCRIPT italic_b start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ≑ italic_t ( roman_mod 2 start_POSTSUPERSCRIPT italic_l end_POSTSUPERSCRIPT ) where the probability is taken over the choice of {a1,…,acβ‹…l}subscriptπ‘Ž1…subscriptπ‘Žβ‹…π‘π‘™\{a_{1},\ldots,a_{c\cdot l}\}{ italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_c β‹… italic_l end_POSTSUBSCRIPT }. Then, E⁒[Xt,b]=2βˆ’l𝐸delimited-[]subscript𝑋𝑑𝑏superscript2𝑙E[X_{t,b}]=2^{-l}italic_E [ italic_X start_POSTSUBSCRIPT italic_t , italic_b end_POSTSUBSCRIPT ] = 2 start_POSTSUPERSCRIPT - italic_l end_POSTSUPERSCRIPT and V⁒[Xt,b]<2βˆ’l𝑉delimited-[]subscript𝑋𝑑𝑏superscript2𝑙V[X_{t,b}]<2^{-l}italic_V [ italic_X start_POSTSUBSCRIPT italic_t , italic_b end_POSTSUBSCRIPT ] < 2 start_POSTSUPERSCRIPT - italic_l end_POSTSUPERSCRIPT. Hence, E⁒[Yt]=2cβ‹…lβˆ’12l=2(cβˆ’1)β‹…lβˆ’2βˆ’l𝐸delimited-[]subscriptπ‘Œπ‘‘superscript2⋅𝑐𝑙1superscript2𝑙superscript2⋅𝑐1𝑙superscript2𝑙E[Y_{t}]=\frac{2^{c\cdot l}-1}{2^{l}}=2^{(c-1)\cdot l}-2^{-l}italic_E [ italic_Y start_POSTSUBSCRIPT italic_t end_POSTSUBSCRIPT ] = divide start_ARG 2 start_POSTSUPERSCRIPT italic_c β‹… italic_l end_POSTSUPERSCRIPT - 1 end_ARG start_ARG 2 start_POSTSUPERSCRIPT italic_l end_POSTSUPERSCRIPT end_ARG = 2 start_POSTSUPERSCRIPT ( italic_c - 1 ) β‹… italic_l end_POSTSUPERSCRIPT - 2 start_POSTSUPERSCRIPT - italic_l end_POSTSUPERSCRIPT where Ytsubscriptπ‘Œπ‘‘Y_{t}italic_Y start_POSTSUBSCRIPT italic_t end_POSTSUBSCRIPT denotes βˆ‘b∈{0,1}cβ‹…lβˆ–0cβ‹…lXt,bsubscript𝑏superscript01⋅𝑐𝑙superscript0⋅𝑐𝑙subscript𝑋𝑑𝑏\sum_{b\in\{0,1\}^{c\cdot l}\setminus 0^{c\cdot l}}X_{t,b}βˆ‘ start_POSTSUBSCRIPT italic_b ∈ { 0 , 1 } start_POSTSUPERSCRIPT italic_c β‹… italic_l end_POSTSUPERSCRIPT βˆ– 0 start_POSTSUPERSCRIPT italic_c β‹… italic_l end_POSTSUPERSCRIPT end_POSTSUBSCRIPT italic_X start_POSTSUBSCRIPT italic_t , italic_b end_POSTSUBSCRIPT. Moreover, for bβ‰ b′𝑏superscript𝑏′b\neq b^{\prime}italic_b β‰  italic_b start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT, the events Xt,bsubscript𝑋𝑑𝑏X_{t,b}italic_X start_POSTSUBSCRIPT italic_t , italic_b end_POSTSUBSCRIPT and Xt,bβ€²subscript𝑋𝑑superscript𝑏′X_{t,b^{\prime}}italic_X start_POSTSUBSCRIPT italic_t , italic_b start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT end_POSTSUBSCRIPT are pairwise disjoint. Therefore, V⁒[Yt]<2cβ‹…lβˆ’12l<2(cβˆ’1)β‹…l𝑉delimited-[]subscriptπ‘Œπ‘‘superscript2⋅𝑐𝑙1superscript2𝑙superscript2⋅𝑐1𝑙V[Y_{t}]<\frac{2^{c\cdot l}-1}{2^{l}}<2^{(c-1)\cdot l}italic_V [ italic_Y start_POSTSUBSCRIPT italic_t end_POSTSUBSCRIPT ] < divide start_ARG 2 start_POSTSUPERSCRIPT italic_c β‹… italic_l end_POSTSUPERSCRIPT - 1 end_ARG start_ARG 2 start_POSTSUPERSCRIPT italic_l end_POSTSUPERSCRIPT end_ARG < 2 start_POSTSUPERSCRIPT ( italic_c - 1 ) β‹… italic_l end_POSTSUPERSCRIPT. Using the Chebyshev inequality,

    Pr⁑(|Ytβˆ’(2(cβˆ’1)β‹…lβˆ’2βˆ’l)|β‰₯2(cβˆ’12+1)β‹…l)≀2βˆ’2⁒lPrsubscriptπ‘Œπ‘‘superscript2⋅𝑐1𝑙superscript2𝑙superscript2⋅𝑐121𝑙superscript22𝑙\Pr\left({\left|{Y_{t}-(2^{(c-1)\cdot l}-2^{-l})}\right|}\geq 2^{(\frac{c-1}{2}+1)\cdot l}\right)\leq 2^{-2l}roman_Pr ( | italic_Y start_POSTSUBSCRIPT italic_t end_POSTSUBSCRIPT - ( 2 start_POSTSUPERSCRIPT ( italic_c - 1 ) β‹… italic_l end_POSTSUPERSCRIPT - 2 start_POSTSUPERSCRIPT - italic_l end_POSTSUPERSCRIPT ) | β‰₯ 2 start_POSTSUPERSCRIPT ( divide start_ARG italic_c - 1 end_ARG start_ARG 2 end_ARG + 1 ) β‹… italic_l end_POSTSUPERSCRIPT ) ≀ 2 start_POSTSUPERSCRIPT - 2 italic_l end_POSTSUPERSCRIPT

    and hence,

    Pr⁑(|Ytβˆ’2(cβˆ’1)β‹…l|β‰₯2(cβˆ’12+1)β‹…l+2βˆ’l)≀2βˆ’2⁒l.Prsubscriptπ‘Œπ‘‘superscript2⋅𝑐1𝑙superscript2⋅𝑐121𝑙superscript2𝑙superscript22𝑙\Pr\left({\left|{Y_{t}-2^{(c-1)\cdot l}}\right|}\geq 2^{(\frac{c-1}{2}+1)\cdot l}+2^{-l}\right)\leq 2^{-2l}.roman_Pr ( | italic_Y start_POSTSUBSCRIPT italic_t end_POSTSUBSCRIPT - 2 start_POSTSUPERSCRIPT ( italic_c - 1 ) β‹… italic_l end_POSTSUPERSCRIPT | β‰₯ 2 start_POSTSUPERSCRIPT ( divide start_ARG italic_c - 1 end_ARG start_ARG 2 end_ARG + 1 ) β‹… italic_l end_POSTSUPERSCRIPT + 2 start_POSTSUPERSCRIPT - italic_l end_POSTSUPERSCRIPT ) ≀ 2 start_POSTSUPERSCRIPT - 2 italic_l end_POSTSUPERSCRIPT .

    Using the union bound,

    Pr⁑(βˆƒt,|Ytβˆ’2(cβˆ’1)β‹…l|β‰₯2(cβˆ’12+1)β‹…l+2βˆ’l)≀2βˆ’l.Pr𝑑subscriptπ‘Œπ‘‘superscript2⋅𝑐1𝑙superscript2⋅𝑐121𝑙superscript2𝑙superscript2𝑙\Pr\left(\exists t,~{}{\left|{Y_{t}-2^{(c-1)\cdot l}}\right|}\geq 2^{(\frac{c-1}{2}+1)\cdot l}+2^{-l}\right)\leq 2^{-l}.roman_Pr ( βˆƒ italic_t , | italic_Y start_POSTSUBSCRIPT italic_t end_POSTSUBSCRIPT - 2 start_POSTSUPERSCRIPT ( italic_c - 1 ) β‹… italic_l end_POSTSUPERSCRIPT | β‰₯ 2 start_POSTSUPERSCRIPT ( divide start_ARG italic_c - 1 end_ARG start_ARG 2 end_ARG + 1 ) β‹… italic_l end_POSTSUPERSCRIPT + 2 start_POSTSUPERSCRIPT - italic_l end_POSTSUPERSCRIPT ) ≀ 2 start_POSTSUPERSCRIPT - italic_l end_POSTSUPERSCRIPT .

    Therefore, with probability at least 1βˆ’2βˆ’l1superscript2𝑙1-2^{-l}1 - 2 start_POSTSUPERSCRIPT - italic_l end_POSTSUPERSCRIPT on the choice of {a1,…,acβ‹…l}subscriptπ‘Ž1…subscriptπ‘Žβ‹…π‘π‘™\{a_{1},\ldots,a_{c\cdot l}\}{ italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_c β‹… italic_l end_POSTSUBSCRIPT }, the number of subsets (including the empty subset) mapped to each number t𝑑titalic_t is at most 2(cβˆ’12+1)β‹…l+2βˆ’l+1≀2(cβˆ’12+2)β‹…lsuperscript2⋅𝑐121𝑙superscript2𝑙1superscript2⋅𝑐122𝑙2^{(\frac{c-1}{2}+1)\cdot l}+2^{-l}+1\leq 2^{(\frac{c-1}{2}+2)\cdot l}2 start_POSTSUPERSCRIPT ( divide start_ARG italic_c - 1 end_ARG start_ARG 2 end_ARG + 1 ) β‹… italic_l end_POSTSUPERSCRIPT + 2 start_POSTSUPERSCRIPT - italic_l end_POSTSUPERSCRIPT + 1 ≀ 2 start_POSTSUPERSCRIPT ( divide start_ARG italic_c - 1 end_ARG start_ARG 2 end_ARG + 2 ) β‹… italic_l end_POSTSUPERSCRIPT away from 2(cβˆ’1)β‹…lsuperscript2⋅𝑐1𝑙2^{(c-1)\cdot l}2 start_POSTSUPERSCRIPT ( italic_c - 1 ) β‹… italic_l end_POSTSUPERSCRIPT. This translates to a statistical distance of at most

    2(cβˆ’12+2)β‹…lβ‹…2βˆ’(cβˆ’1)β‹…l<2βˆ’lβ‹…superscript2⋅𝑐122𝑙superscript2⋅𝑐1𝑙superscript2𝑙2^{(\frac{c-1}{2}+2)\cdot l}\cdot 2^{-(c-1)\cdot l}<2^{-l}2 start_POSTSUPERSCRIPT ( divide start_ARG italic_c - 1 end_ARG start_ARG 2 end_ARG + 2 ) β‹… italic_l end_POSTSUPERSCRIPT β‹… 2 start_POSTSUPERSCRIPT - ( italic_c - 1 ) β‹… italic_l end_POSTSUPERSCRIPT < 2 start_POSTSUPERSCRIPT - italic_l end_POSTSUPERSCRIPT

    for large enough c𝑐citalic_c. Β 

Lemma 5.7 (Security)

For c𝖭β‰₯2⁒c𝗁subscript𝑐𝖭2subscript𝑐𝗁{c_{\sf{N}}}\geq 2{c_{\sf{h}}}italic_c start_POSTSUBSCRIPT sansserif_N end_POSTSUBSCRIPT β‰₯ 2 italic_c start_POSTSUBSCRIPT sansserif_h end_POSTSUBSCRIPT and large enough c𝗆subscript𝑐𝗆{c_{\sf{m}}}italic_c start_POSTSUBSCRIPT sansserif_m end_POSTSUBSCRIPT, if there exists a polynomial time algorithm π’œπ’œ{\cal A}caligraphic_A that distinguishes between encryptions of 00 and 1111 then there exists an algorithm ℬℬ{\cal B}caligraphic_B that distinguishes between the distributions Uπ‘ˆUitalic_U and 𝒯n,n⁒γ⁒(n)subscript𝒯𝑛𝑛𝛾𝑛{\cal T}_{n,\sqrt{n}\gamma(n)}caligraphic_T start_POSTSUBSCRIPT italic_n , square-root start_ARG italic_n end_ARG italic_Ξ³ ( italic_n ) end_POSTSUBSCRIPT.

  • Proof:

    Let p0subscript𝑝0p_{0}italic_p start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT be the acceptance probability of π’œπ’œ{\cal A}caligraphic_A on input ((a1,…,am,i0),w)subscriptπ‘Ž1…subscriptπ‘Žπ‘šsubscript𝑖0𝑀((a_{1},\ldots,a_{m},i_{0}),w)( ( italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT , italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT ) , italic_w ) where w𝑀witalic_w is an encryption of 00 with the public key (a1,…,am,i0)subscriptπ‘Ž1…subscriptπ‘Žπ‘šsubscript𝑖0(a_{1},\ldots,a_{m},i_{0})( italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT , italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT ) and the probability is taken over the choice of private and public keys and the encryption algorithm. We define p1subscript𝑝1p_{1}italic_p start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT similarly for encryptions of 1111 and let pusubscript𝑝𝑒p_{u}italic_p start_POSTSUBSCRIPT italic_u end_POSTSUBSCRIPT be the acceptance probability of π’œπ’œ{\cal A}caligraphic_A on inputs ((a1,…,am,i0),w)subscriptπ‘Ž1…subscriptπ‘Žπ‘šsubscript𝑖0𝑀((a_{1},\ldots,a_{m},i_{0}),w)( ( italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT , italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT ) , italic_w ) where a1,…,am,i0subscriptπ‘Ž1…subscriptπ‘Žπ‘šsubscript𝑖0a_{1},\ldots,a_{m},i_{0}italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT , italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT are again chosen according to the private and public keys distribution but w𝑀witalic_w is chosen uniformly from {0,…,Nβˆ’1}0…𝑁1\{0,\ldots,N-1\}{ 0 , … , italic_N - 1 }. We would like to construct an π’œβ€²superscriptπ’œβ€²{\cal A}^{\prime}caligraphic_A start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT that distinguishes between the case where w𝑀witalic_w is an encryption of 00 and the case where w𝑀witalic_w is random. According to our hypothesis, |p0βˆ’p1|β‰₯1ncsubscript𝑝0subscript𝑝11superscript𝑛𝑐{\left|{p_{0}-p_{1}}\right|}\geq\frac{1}{n^{c}}| italic_p start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT - italic_p start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT | β‰₯ divide start_ARG 1 end_ARG start_ARG italic_n start_POSTSUPERSCRIPT italic_c end_POSTSUPERSCRIPT end_ARG for some c>0𝑐0c>0italic_c > 0. Therefore, either |p0βˆ’pu|β‰₯12⁒ncsubscript𝑝0subscript𝑝𝑒12superscript𝑛𝑐{\left|{p_{0}-p_{u}}\right|}\geq\frac{1}{2n^{c}}| italic_p start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT - italic_p start_POSTSUBSCRIPT italic_u end_POSTSUBSCRIPT | β‰₯ divide start_ARG 1 end_ARG start_ARG 2 italic_n start_POSTSUPERSCRIPT italic_c end_POSTSUPERSCRIPT end_ARG or |p1βˆ’pu|β‰₯12⁒ncsubscript𝑝1subscript𝑝𝑒12superscript𝑛𝑐{\left|{p_{1}-p_{u}}\right|}\geq\frac{1}{2n^{c}}| italic_p start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT - italic_p start_POSTSUBSCRIPT italic_u end_POSTSUBSCRIPT | β‰₯ divide start_ARG 1 end_ARG start_ARG 2 italic_n start_POSTSUPERSCRIPT italic_c end_POSTSUPERSCRIPT end_ARG. In the former case π’œπ’œ{\cal A}caligraphic_A is itself the required distinguisher. In the latter case π’œπ’œ{\cal A}caligraphic_A distinguishes between the case where w𝑀witalic_w is an encryption of 1111 and the case where w𝑀witalic_w is random. We construct π’œβ€²superscriptπ’œβ€²{\cal A}^{\prime}caligraphic_A start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT as follows. On input ((a1,…,an,i0),w)subscriptπ‘Ž1…subscriptπ‘Žπ‘›subscript𝑖0𝑀((a_{1},\ldots,a_{n},i_{0}),w)( ( italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT , italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT ) , italic_w ), π’œβ€²superscriptπ’œβ€²{\cal A}^{\prime}caligraphic_A start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT calls π’œπ’œ{\cal A}caligraphic_A with ((a1,…,an,i0),w+⌊ai02βŒ‹β’mod⁒N)subscriptπ‘Ž1…subscriptπ‘Žπ‘›subscript𝑖0𝑀subscriptπ‘Žsubscript𝑖02mod𝑁((a_{1},\ldots,a_{n},i_{0}),w+{\lfloor\frac{a_{i_{0}}}{2}\rfloor}~{}\mathrm{mod}~{}N)( ( italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT , italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT ) , italic_w + ⌊ divide start_ARG italic_a start_POSTSUBSCRIPT italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT end_POSTSUBSCRIPT end_ARG start_ARG 2 end_ARG βŒ‹ roman_mod italic_N ). Notice that this maps the distribution on encryptions of 00 to the distribution on encryptions of 1111 and the uniform distribution to itself. Therefore, π’œβ€²superscriptπ’œβ€²{\cal A}^{\prime}caligraphic_A start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT is the required distinguisher.

    Let p0⁒(a1,…,am,i0)subscript𝑝0subscriptπ‘Ž1…subscriptπ‘Žπ‘šsubscript𝑖0p_{0}(a_{1},\ldots,a_{m},i_{0})italic_p start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT ( italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT , italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT ) be the probability that π’œβ€²superscriptπ’œβ€²{\cal A}^{\prime}caligraphic_A start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT accepts on inputs ((a1,…,am,i0),w)subscriptπ‘Ž1…subscriptπ‘Žπ‘šsubscript𝑖0𝑀((a_{1},\ldots,a_{m},i_{0}),w)( ( italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT , italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT ) , italic_w ) where the probability is taken only over the choice of w𝑀witalic_w as an encryption of 00 with the fixed public key (a1,…,am,i0)subscriptπ‘Ž1…subscriptπ‘Žπ‘šsubscript𝑖0(a_{1},\ldots,a_{m},i_{0})( italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT , italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT ). Similarly, define pu⁒(a1,…,am,i0)subscript𝑝𝑒subscriptπ‘Ž1…subscriptπ‘Žπ‘šsubscript𝑖0p_{u}(a_{1},\ldots,a_{m},i_{0})italic_p start_POSTSUBSCRIPT italic_u end_POSTSUBSCRIPT ( italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT , italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT ) to be the acceptance probability of π’œβ€²superscriptπ’œβ€²{\cal A}^{\prime}caligraphic_A start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT where w𝑀witalic_w is now chosen uniformly at random from {0,…,Nβˆ’1}0…𝑁1\{0,\ldots,N-1\}{ 0 , … , italic_N - 1 }. Define

    Y={(a1,…,am,i0)||p0⁒(a1,…,am,i0)βˆ’pu⁒(a1,…,am,i0)|β‰₯14⁒nc}.π‘Œconditional-setsubscriptπ‘Ž1…subscriptπ‘Žπ‘šsubscript𝑖0subscript𝑝0subscriptπ‘Ž1…subscriptπ‘Žπ‘šsubscript𝑖0subscript𝑝𝑒subscriptπ‘Ž1…subscriptπ‘Žπ‘šsubscript𝑖014superscript𝑛𝑐Y=\left\{(a_{1},\ldots,a_{m},i_{0})~{}\left|~{}|p_{0}(a_{1},\ldots,a_{m},i_{0})-p_{u}(a_{1},\ldots,a_{m},i_{0})|\geq\frac{1}{4n^{c}}\right.\right\}.italic_Y = { ( italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT , italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT ) | | italic_p start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT ( italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT , italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT ) - italic_p start_POSTSUBSCRIPT italic_u end_POSTSUBSCRIPT ( italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT , italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT ) | β‰₯ divide start_ARG 1 end_ARG start_ARG 4 italic_n start_POSTSUPERSCRIPT italic_c end_POSTSUPERSCRIPT end_ARG } .

    By an averaging argument we get that with probability at least 14⁒nc14superscript𝑛𝑐\frac{1}{4n^{c}}divide start_ARG 1 end_ARG start_ARG 4 italic_n start_POSTSUPERSCRIPT italic_c end_POSTSUPERSCRIPT end_ARG on the choice of (a1,…,am,i0)subscriptπ‘Ž1…subscriptπ‘Žπ‘šsubscript𝑖0(a_{1},\ldots,a_{m},i_{0})( italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT , italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT ), (a1,…,am,i0)∈Ysubscriptπ‘Ž1…subscriptπ‘Žπ‘šsubscript𝑖0π‘Œ(a_{1},\ldots,a_{m},i_{0})\in Y( italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT , italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT ) ∈ italic_Y for otherwise π’œβ€²superscriptπ’œβ€²{\cal A}^{\prime}caligraphic_A start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT would have a gap of less than 12⁒nc12superscript𝑛𝑐\frac{1}{2n^{c}}divide start_ARG 1 end_ARG start_ARG 2 italic_n start_POSTSUPERSCRIPT italic_c end_POSTSUPERSCRIPT end_ARG.

    In the following we describe the distinguisher ℬℬ{\cal B}caligraphic_B. We are given a distribution R𝑅Ritalic_R which is either Uπ‘ˆUitalic_U or some Th,Ξ²βˆˆπ’―n,n⁒γ⁒(n)subscriptπ‘‡β„Žπ›½subscript𝒯𝑛𝑛𝛾𝑛T_{h,\beta}\in{\cal T}_{n,\sqrt{n}\gamma(n)}italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT ∈ caligraphic_T start_POSTSUBSCRIPT italic_n , square-root start_ARG italic_n end_ARG italic_Ξ³ ( italic_n ) end_POSTSUBSCRIPT with an integer h≀2c𝗁⁒n2≀Nβ„Žsuperscript2subscript𝑐𝗁superscript𝑛2𝑁h\leq 2^{{c_{\sf{h}}}n^{2}}\leq\sqrt{N}italic_h ≀ 2 start_POSTSUPERSCRIPT italic_c start_POSTSUBSCRIPT sansserif_h end_POSTSUBSCRIPT italic_n start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT ≀ square-root start_ARG italic_N end_ARG and a real β∈[1(γ⁒(n))2,4⁒1(γ⁒(n))2)𝛽1superscript𝛾𝑛241superscript𝛾𝑛2\beta\in[\frac{1}{(\gamma(n))^{2}},4\frac{1}{(\gamma(n))^{2}})italic_Ξ² ∈ [ divide start_ARG 1 end_ARG start_ARG ( italic_Ξ³ ( italic_n ) ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG , 4 divide start_ARG 1 end_ARG start_ARG ( italic_Ξ³ ( italic_n ) ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG ). Note that neither hβ„Žhitalic_h nor β𝛽\betaitalic_Ξ² are given to ℬℬ{\cal B}caligraphic_B. Our goal is to construct ℬℬ{\cal B}caligraphic_B such that the acceptance probability with Uπ‘ˆUitalic_U and the acceptance probability with Th,Ξ²subscriptπ‘‡β„Žπ›½T_{h,\beta}italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT differ by a non-negligible factor. We first choose h~~β„Ž{\tilde{h}}over~ start_ARG italic_h end_ARG uniformly from the set {1,2,4,…,N}124…𝑁\{1,2,4,\ldots,\sqrt{N}\}{ 1 , 2 , 4 , … , square-root start_ARG italic_N end_ARG }. In addition we choose δ𝛿\deltaitalic_Ξ΄ uniformly from the range [N/h~,4⁒N/h~)𝑁~β„Ž4𝑁~β„Ž[\sqrt{N}/{\tilde{h}},4\sqrt{N}/{\tilde{h}})[ square-root start_ARG italic_N end_ARG / over~ start_ARG italic_h end_ARG , 4 square-root start_ARG italic_N end_ARG / over~ start_ARG italic_h end_ARG ) and s𝑠sitalic_s uniformly from the range [0,7⁒1(γ⁒(n))2)071superscript𝛾𝑛2[0,7\frac{1}{(\gamma(n))^{2}})[ 0 , 7 divide start_ARG 1 end_ARG start_ARG ( italic_Ξ³ ( italic_n ) ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG ). Then, consider the distribution Rβ€²=Cδ⁒(R+QΞ΄2⁒s/N⁒mod⁒1)superscript𝑅′subscript𝐢𝛿𝑅subscript𝑄superscript𝛿2𝑠𝑁mod1R^{\prime}=C_{\delta}(R+Q_{\delta^{2}s/N}~{}\mathrm{mod}~{}1)italic_R start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT = italic_C start_POSTSUBSCRIPT italic_Ξ΄ end_POSTSUBSCRIPT ( italic_R + italic_Q start_POSTSUBSCRIPT italic_Ξ΄ start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT italic_s / italic_N end_POSTSUBSCRIPT roman_mod 1 ), i.e., we first add a normal variable to R𝑅Ritalic_R and then compress the result by a factor of δ𝛿\deltaitalic_Ξ΄. We take mπ‘šmitalic_m samples a1,…,amsubscriptπ‘Ž1…subscriptπ‘Žπ‘ša_{1},\ldots,a_{m}italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT from ⌊Nβ‹…Rβ€²βŒ‹β‹…π‘superscript𝑅′{\lfloor N\cdot R^{\prime}\rfloor}⌊ italic_N β‹… italic_R start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT βŒ‹ and let i0subscript𝑖0i_{0}italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT be chosen randomly from [m]delimited-[]π‘š[m][ italic_m ]. We estimate p0⁒(a1,…,am,i0)subscript𝑝0subscriptπ‘Ž1…subscriptπ‘Žπ‘šsubscript𝑖0p_{0}(a_{1},\ldots,a_{m},i_{0})italic_p start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT ( italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT , italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT ) and pu⁒(a1,…,am,i0)subscript𝑝𝑒subscriptπ‘Ž1…subscriptπ‘Žπ‘šsubscript𝑖0p_{u}(a_{1},\ldots,a_{m},i_{0})italic_p start_POSTSUBSCRIPT italic_u end_POSTSUBSCRIPT ( italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT , italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT ) by computing many values w𝑀witalic_w either according to the encryption algorithm or randomly and then calling π’œβ€²superscriptπ’œβ€²{\cal A}^{\prime}caligraphic_A start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT. By using a polynomial size sample, we can estimate the two probabilities up to an error of at most 132⁒nc132superscript𝑛𝑐\frac{1}{32n^{c}}divide start_ARG 1 end_ARG start_ARG 32 italic_n start_POSTSUPERSCRIPT italic_c end_POSTSUPERSCRIPT end_ARG. If the two estimates differ by more than 14⁒nc14superscript𝑛𝑐\frac{1}{4n^{c}}divide start_ARG 1 end_ARG start_ARG 4 italic_n start_POSTSUPERSCRIPT italic_c end_POSTSUPERSCRIPT end_ARG, ℬℬ{\cal B}caligraphic_B accepts. Otherwise, ℬℬ{\cal B}caligraphic_B rejects.

    We first claim that when R𝑅Ritalic_R is the uniform distribution, ℬℬ{\cal B}caligraphic_B rejects with high probability. The distribution R+QΞ΄2⁒s/N⁒mod⁒1𝑅subscript𝑄superscript𝛿2𝑠𝑁mod1R+Q_{\delta^{2}s/N}~{}\mathrm{mod}~{}1italic_R + italic_Q start_POSTSUBSCRIPT italic_Ξ΄ start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT italic_s / italic_N end_POSTSUBSCRIPT roman_mod 1 is still a uniform distribution on [0,1)01[0,1)[ 0 , 1 ) and so is Rβ€²superscript𝑅′R^{\prime}italic_R start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT as can be easily seen from the definition of the compression. Therefore, a1,…,amsubscriptπ‘Ž1…subscriptπ‘Žπ‘ša_{1},\ldots,a_{m}italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT are chosen uniformly from {0,1,…,Nβˆ’1}01…𝑁1\{0,1,\ldots,N-1\}{ 0 , 1 , … , italic_N - 1 } and according to ClaimΒ 5.6 if c𝗆subscript𝑐𝗆{c_{\sf{m}}}italic_c start_POSTSUBSCRIPT sansserif_m end_POSTSUBSCRIPT is a large enough constant then with probability exponentially close to 1111, the distribution on w𝑀witalic_w obtained by encryptions of 00 is exponentially close to the uniform distribution on {0,1,…,Nβˆ’1}01…𝑁1\{0,1,\ldots,N-1\}{ 0 , 1 , … , italic_N - 1 }. Therefore, since π’œβ€²superscriptπ’œβ€²{\cal A}^{\prime}caligraphic_A start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT can be seen as a function on w𝑀witalic_w, |p0⁒(a1,…,am,i0)βˆ’pu⁒(a1,…,am,i0)|subscript𝑝0subscriptπ‘Ž1…subscriptπ‘Žπ‘šsubscript𝑖0subscript𝑝𝑒subscriptπ‘Ž1…subscriptπ‘Žπ‘šsubscript𝑖0|p_{0}(a_{1},\ldots,a_{m},i_{0})-p_{u}(a_{1},\ldots,a_{m},i_{0})|| italic_p start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT ( italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT , italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT ) - italic_p start_POSTSUBSCRIPT italic_u end_POSTSUBSCRIPT ( italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT , italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT ) | is also exponentially small and ℬℬ{\cal B}caligraphic_B rejects.

    Now assume that R𝑅Ritalic_R is the distribution Th,Ξ²subscriptπ‘‡β„Žπ›½T_{h,\beta}italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT for some fixed hβ„Žhitalic_h and β𝛽\betaitalic_Ξ² and we claim that ℬℬ{\cal B}caligraphic_B accepts with non-negligible probability. Then, according to ClaimΒ 5.3, R+QΞ΄2⁒s/N⁒mod⁒1𝑅subscript𝑄superscript𝛿2𝑠𝑁mod1R+Q_{\delta^{2}s/N}~{}\mathrm{mod}~{}1italic_R + italic_Q start_POSTSUBSCRIPT italic_Ξ΄ start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT italic_s / italic_N end_POSTSUBSCRIPT roman_mod 1 is Th,Ξ²+(δ⁒h)2⁒s/Nsubscriptπ‘‡β„Žπ›½superscriptπ›Ώβ„Ž2𝑠𝑁T_{h,\beta+(\delta h)^{2}s/N}italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² + ( italic_Ξ΄ italic_h ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT italic_s / italic_N end_POSTSUBSCRIPT. Hence, according to ClaimΒ 5.5, Rβ€²superscript𝑅′R^{\prime}italic_R start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT is Tδ⁒h,Ξ²+(δ⁒h)2⁒s/Nsubscriptπ‘‡π›Ώβ„Žπ›½superscriptπ›Ώβ„Ž2𝑠𝑁T_{\delta h,\beta+(\delta h)^{2}s/N}italic_T start_POSTSUBSCRIPT italic_Ξ΄ italic_h , italic_Ξ² + ( italic_Ξ΄ italic_h ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT italic_s / italic_N end_POSTSUBSCRIPT. Let X𝑋Xitalic_X denote the event that h≀h~<2⁒hβ„Ž~β„Ž2β„Žh\leq{\tilde{h}}<2hitalic_h ≀ over~ start_ARG italic_h end_ARG < 2 italic_h, δ⁒h∈[N,2⁒N)π›Ώβ„Žπ‘2𝑁\delta h\in[\sqrt{N},2\sqrt{N})italic_Ξ΄ italic_h ∈ [ square-root start_ARG italic_N end_ARG , 2 square-root start_ARG italic_N end_ARG ), frc⁒(δ⁒h)<116⁒mfrcπ›Ώβ„Ž116π‘š\mathrm{frc}(\delta h)<\frac{1}{16m}roman_frc ( italic_Ξ΄ italic_h ) < divide start_ARG 1 end_ARG start_ARG 16 italic_m end_ARG and Ξ²+(δ⁒h)2⁒s/N∈[4⁒1(γ⁒(n))2,8⁒1(γ⁒(n))2)𝛽superscriptπ›Ώβ„Ž2𝑠𝑁41superscript𝛾𝑛281superscript𝛾𝑛2\beta+(\delta h)^{2}s/N\in[4\frac{1}{(\gamma(n))^{2}},8\frac{1}{(\gamma(n))^{2}})italic_Ξ² + ( italic_Ξ΄ italic_h ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT italic_s / italic_N ∈ [ 4 divide start_ARG 1 end_ARG start_ARG ( italic_Ξ³ ( italic_n ) ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG , 8 divide start_ARG 1 end_ARG start_ARG ( italic_Ξ³ ( italic_n ) ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG ). We now show that the probability on our choice of h~,Ξ΄,s~β„Žπ›Ώπ‘ {\tilde{h}},\delta,sover~ start_ARG italic_h end_ARG , italic_Ξ΄ , italic_s that X𝑋Xitalic_X happens is at least 1p⁒o⁒l⁒y⁒(n)1π‘π‘œπ‘™π‘¦π‘›\frac{1}{poly(n)}divide start_ARG 1 end_ARG start_ARG italic_p italic_o italic_l italic_y ( italic_n ) end_ARG. First, with probability 1log⁑(N)=2c𝖭⁒n21𝑁2subscript𝑐𝖭superscript𝑛2\frac{1}{\log(\sqrt{N})}=\frac{2}{{c_{\sf{N}}}n^{2}}divide start_ARG 1 end_ARG start_ARG roman_log ( square-root start_ARG italic_N end_ARG ) end_ARG = divide start_ARG 2 end_ARG start_ARG italic_c start_POSTSUBSCRIPT sansserif_N end_POSTSUBSCRIPT italic_n start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG, h≀h~<2⁒hβ„Ž~β„Ž2β„Žh\leq{\tilde{h}}<2hitalic_h ≀ over~ start_ARG italic_h end_ARG < 2 italic_h. Now, δ⁒hπ›Ώβ„Ž\delta hitalic_Ξ΄ italic_h is uniformly distributed in [h/h~β‹…N,4⁒h/h~β‹…N)β‹…β„Ž~β„Žπ‘β‹…4β„Ž~β„Žπ‘[h/{\tilde{h}}\cdot\sqrt{N},4h/{\tilde{h}}\cdot\sqrt{N})[ italic_h / over~ start_ARG italic_h end_ARG β‹… square-root start_ARG italic_N end_ARG , 4 italic_h / over~ start_ARG italic_h end_ARG β‹… square-root start_ARG italic_N end_ARG ). Therefore, conditioned on h≀h~<2⁒hβ„Ž~β„Ž2β„Žh\leq{\tilde{h}}<2hitalic_h ≀ over~ start_ARG italic_h end_ARG < 2 italic_h, the probability that δ⁒h∈[N,2⁒N)π›Ώβ„Žπ‘2𝑁\delta h\in[\sqrt{N},2\sqrt{N})italic_Ξ΄ italic_h ∈ [ square-root start_ARG italic_N end_ARG , 2 square-root start_ARG italic_N end_ARG ) is at least 1313\frac{1}{3}divide start_ARG 1 end_ARG start_ARG 3 end_ARG. Moreover, conditioned on h≀h~<2⁒hβ„Ž~β„Ž2β„Žh\leq{\tilde{h}}<2hitalic_h ≀ over~ start_ARG italic_h end_ARG < 2 italic_h and δ⁒h∈[N,2⁒N)π›Ώβ„Žπ‘2𝑁\delta h\in[\sqrt{N},2\sqrt{N})italic_Ξ΄ italic_h ∈ [ square-root start_ARG italic_N end_ARG , 2 square-root start_ARG italic_N end_ARG ), the probability that frc⁒(δ⁒h)<116⁒mfrcπ›Ώβ„Ž116π‘š\mathrm{frc}(\delta h)<\frac{1}{16m}roman_frc ( italic_Ξ΄ italic_h ) < divide start_ARG 1 end_ARG start_ARG 16 italic_m end_ARG is 18⁒m18π‘š\frac{1}{8m}divide start_ARG 1 end_ARG start_ARG 8 italic_m end_ARG. For any fixed δ⁒h∈[N,2⁒N)π›Ώβ„Žπ‘2𝑁\delta h\in[\sqrt{N},2\sqrt{N})italic_Ξ΄ italic_h ∈ [ square-root start_ARG italic_N end_ARG , 2 square-root start_ARG italic_N end_ARG ), (δ⁒h)2/N∈[1,4)superscriptπ›Ώβ„Ž2𝑁14(\delta h)^{2}/N\in[1,4)( italic_Ξ΄ italic_h ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT / italic_N ∈ [ 1 , 4 ) and therefore Ξ²+(δ⁒h)2⁒s/N𝛽superscriptπ›Ώβ„Ž2𝑠𝑁\beta+(\delta h)^{2}s/Nitalic_Ξ² + ( italic_Ξ΄ italic_h ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT italic_s / italic_N is distributed uniformly in [Ξ²,Ξ²+(δ⁒h)2/Nβ‹…7(γ⁒(n))2)𝛽𝛽⋅superscriptπ›Ώβ„Ž2𝑁7superscript𝛾𝑛2[\beta,\beta+(\delta h)^{2}/N\cdot\frac{7}{(\gamma(n))^{2}})[ italic_Ξ² , italic_Ξ² + ( italic_Ξ΄ italic_h ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT / italic_N β‹… divide start_ARG 7 end_ARG start_ARG ( italic_Ξ³ ( italic_n ) ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG ). The length of this range is at most 4β‹…7(γ⁒(n))2β‹…47superscript𝛾𝑛24\cdot\frac{7}{(\gamma(n))^{2}}4 β‹… divide start_ARG 7 end_ARG start_ARG ( italic_Ξ³ ( italic_n ) ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG and it always contains the range [4⁒1(γ⁒(n))2,8⁒1(γ⁒(n))2)41superscript𝛾𝑛281superscript𝛾𝑛2[4\frac{1}{(\gamma(n))^{2}},8\frac{1}{(\gamma(n))^{2}})[ 4 divide start_ARG 1 end_ARG start_ARG ( italic_Ξ³ ( italic_n ) ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG , 8 divide start_ARG 1 end_ARG start_ARG ( italic_Ξ³ ( italic_n ) ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG ) (because β∈[1(γ⁒(n))2,4⁒1(γ⁒(n))2)𝛽1superscript𝛾𝑛241superscript𝛾𝑛2\beta\in[\frac{1}{(\gamma(n))^{2}},4\frac{1}{(\gamma(n))^{2}})italic_Ξ² ∈ [ divide start_ARG 1 end_ARG start_ARG ( italic_Ξ³ ( italic_n ) ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG , 4 divide start_ARG 1 end_ARG start_ARG ( italic_Ξ³ ( italic_n ) ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG )). Therefore, the probability on the choice of s𝑠sitalic_s that Ξ²+(δ⁒h)2⁒s/N∈[4⁒1(γ⁒(n))2,8⁒1(γ⁒(n))2)𝛽superscriptπ›Ώβ„Ž2𝑠𝑁41superscript𝛾𝑛281superscript𝛾𝑛2\beta+(\delta h)^{2}s/N\in[4\frac{1}{(\gamma(n))^{2}},8\frac{1}{(\gamma(n))^{2}})italic_Ξ² + ( italic_Ξ΄ italic_h ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT italic_s / italic_N ∈ [ 4 divide start_ARG 1 end_ARG start_ARG ( italic_Ξ³ ( italic_n ) ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG , 8 divide start_ARG 1 end_ARG start_ARG ( italic_Ξ³ ( italic_n ) ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG ) is at least 428=1742817\frac{4}{28}=\frac{1}{7}divide start_ARG 4 end_ARG start_ARG 28 end_ARG = divide start_ARG 1 end_ARG start_ARG 7 end_ARG. To sum up, the probability of X𝑋Xitalic_X is at least 2c𝖭⁒n2β‹…13β‹…17β‹…18⁒m=1p⁒o⁒l⁒y⁒(n)β‹…2subscript𝑐𝖭superscript𝑛2131718π‘š1π‘π‘œπ‘™π‘¦π‘›\frac{2}{{c_{\sf{N}}}n^{2}}\cdot\frac{1}{3}\cdot\frac{1}{7}\cdot\frac{1}{8m}=\frac{1}{poly(n)}divide start_ARG 2 end_ARG start_ARG italic_c start_POSTSUBSCRIPT sansserif_N end_POSTSUBSCRIPT italic_n start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG β‹… divide start_ARG 1 end_ARG start_ARG 3 end_ARG β‹… divide start_ARG 1 end_ARG start_ARG 7 end_ARG β‹… divide start_ARG 1 end_ARG start_ARG 8 italic_m end_ARG = divide start_ARG 1 end_ARG start_ARG italic_p italic_o italic_l italic_y ( italic_n ) end_ARG.

    Notice that conditioned on X𝑋Xitalic_X, the distribution of δ⁒hπ›Ώβ„Ž\delta hitalic_Ξ΄ italic_h and Ξ²+(δ⁒h)2/N𝛽superscriptπ›Ώβ„Ž2𝑁\beta+(\delta h)^{2}/Nitalic_Ξ² + ( italic_Ξ΄ italic_h ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT / italic_N is the same as the distribution of hβ„Žhitalic_h and β𝛽\betaitalic_Ξ² in the choice of the private and public keys. Therefore the probability that (a1,…,am,i0)∈Ysubscriptπ‘Ž1…subscriptπ‘Žπ‘šsubscript𝑖0π‘Œ(a_{1},\ldots,a_{m},i_{0})\in Y( italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT , italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT ) ∈ italic_Y is at least

    Pr⁑(X)β‹…Pr⁑(βˆƒi0,(a1,…,am,i0)∈Y|X)β‹…1mβ‰₯Pr⁑(X)β‹…14⁒ncβ‹…1m=1p⁒o⁒l⁒y⁒(n).β‹…Pr𝑋Prsubscript𝑖0subscriptπ‘Ž1…subscriptπ‘Žπ‘šsubscript𝑖0conditionalπ‘Œπ‘‹1π‘šβ‹…Pr𝑋14superscript𝑛𝑐1π‘š1π‘π‘œπ‘™π‘¦π‘›\Pr(X)\cdot\Pr\left(\exists i_{0},(a_{1},\ldots,a_{m},i_{0})\in Y~{}|~{}X\right)\cdot\frac{1}{m}\geq\Pr(X)\cdot\frac{1}{4n^{c}}\cdot\frac{1}{m}=\frac{1}{poly(n)}.roman_Pr ( italic_X ) β‹… roman_Pr ( βˆƒ italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT , ( italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT , italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT ) ∈ italic_Y | italic_X ) β‹… divide start_ARG 1 end_ARG start_ARG italic_m end_ARG β‰₯ roman_Pr ( italic_X ) β‹… divide start_ARG 1 end_ARG start_ARG 4 italic_n start_POSTSUPERSCRIPT italic_c end_POSTSUPERSCRIPT end_ARG β‹… divide start_ARG 1 end_ARG start_ARG italic_m end_ARG = divide start_ARG 1 end_ARG start_ARG italic_p italic_o italic_l italic_y ( italic_n ) end_ARG .

    But when (a1,…,am,i0)∈Ysubscriptπ‘Ž1…subscriptπ‘Žπ‘šsubscript𝑖0π‘Œ(a_{1},\ldots,a_{m},i_{0})\in Y( italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT , italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT ) ∈ italic_Y,

    |p0⁒(a1,…,am,i0)βˆ’pu⁒(a1,…,am,i0)|β‰₯14⁒ncsubscript𝑝0subscriptπ‘Ž1…subscriptπ‘Žπ‘šsubscript𝑖0subscript𝑝𝑒subscriptπ‘Ž1…subscriptπ‘Žπ‘šsubscript𝑖014superscript𝑛𝑐|p_{0}(a_{1},\ldots,a_{m},i_{0})-p_{u}(a_{1},\ldots,a_{m},i_{0})|\geq\frac{1}{4n^{c}}| italic_p start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT ( italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT , italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT ) - italic_p start_POSTSUBSCRIPT italic_u end_POSTSUBSCRIPT ( italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT , italic_i start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT ) | β‰₯ divide start_ARG 1 end_ARG start_ARG 4 italic_n start_POSTSUPERSCRIPT italic_c end_POSTSUPERSCRIPT end_ARG

    and therefore our estimates are good enough and ℬℬ{\cal B}caligraphic_B accepts. Β 

By combining the two lemmas above we get,

Theorem 5.8

For c𝖭β‰₯2⁒c𝗁subscript𝑐𝖭2subscript𝑐𝗁{c_{\sf{N}}}\geq 2{c_{\sf{h}}}italic_c start_POSTSUBSCRIPT sansserif_N end_POSTSUBSCRIPT β‰₯ 2 italic_c start_POSTSUBSCRIPT sansserif_h end_POSTSUBSCRIPT and large enough c𝗆subscript𝑐𝗆{c_{\sf{m}}}italic_c start_POSTSUBSCRIPT sansserif_m end_POSTSUBSCRIPT, the public key cryptosystem described in SectionΒ 3 makes decryption errors with negligible probability and its security is based on n⋅γ⁒(n)normal-⋅𝑛𝛾𝑛\sqrt{n}\cdot\gamma(n)square-root start_ARG italic_n end_ARG β‹… italic_Ξ³ ( italic_n )-uSVP.

6 Analysis of the Collision Resistant Hash Function

Claim 6.1

Let X1,…,Xmsubscript𝑋1normal-…subscriptπ‘‹π‘šX_{1},\ldots,X_{m}italic_X start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_X start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT be mπ‘šmitalic_m independent normal random variables with mean 0 and standard deviation ΟƒπœŽ\sigmaitalic_Οƒ. For any vector bβˆˆβ„m𝑏superscriptβ„π‘šb\in\mathbb{R}^{m}italic_b ∈ blackboard_R start_POSTSUPERSCRIPT italic_m end_POSTSUPERSCRIPT, the random variable βˆ‘i=1mbi⁒Xisuperscriptsubscript𝑖1π‘šsubscript𝑏𝑖subscript𝑋𝑖\sum_{i=1}^{m}b_{i}X_{i}βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_m end_POSTSUPERSCRIPT italic_b start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT italic_X start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT has a normal distribution with mean 0 and standard deviation β€–bβ€–β‹…Οƒnormal-β‹…normπ‘πœŽ\|b\|\cdot\sigmaβˆ₯ italic_b βˆ₯ β‹… italic_Οƒ.

  • Proof:

    The joint distribution (X1,…,Xm)subscript𝑋1…subscriptπ‘‹π‘š(X_{1},\ldots,X_{m})( italic_X start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_X start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT ) is a Gaussian distribution in ℝmsuperscriptβ„π‘š\mathbb{R}^{m}blackboard_R start_POSTSUPERSCRIPT italic_m end_POSTSUPERSCRIPT which is invariant under rotations. Hence we can equivalently consider the inner product of (β€–bβ€–,0,…,0)norm𝑏0…0({\|b\|},0,\ldots,0)( βˆ₯ italic_b βˆ₯ , 0 , … , 0 ) and a Gaussian distribution. We complete the proof by noting that the first coordinate of the Gaussian has a normal distribution with mean 00 and standard deviation ΟƒπœŽ\sigmaitalic_Οƒ. Β 

Definition 6.2

For any hβˆˆβ„€β„Žβ„€h\in{\mathbb{Z}}italic_h ∈ blackboard_Z, h~,Ξ²βˆˆβ„normal-~β„Žπ›½β„{\tilde{h}},\beta\in\mathbb{R}over~ start_ARG italic_h end_ARG , italic_Ξ² ∈ blackboard_R and any a∈[0,1)π‘Ž01a\in[0,1)italic_a ∈ [ 0 , 1 ) we define the following two density functions on [0,1)01[0,1)[ 0 , 1 ):

Sh~,h,Ξ²,a⁒(r):=1h~⁒∫aa+1/h~Th,β⁒(x)⁒𝑑x⁒Th,β⁒(a+rh~)assignsubscript𝑆~β„Žβ„Žπ›½π‘Žπ‘Ÿ1~β„Žsuperscriptsubscriptπ‘Žπ‘Ž1~β„Žsubscriptπ‘‡β„Žπ›½π‘₯differential-dπ‘₯subscriptπ‘‡β„Žπ›½π‘Žπ‘Ÿ~β„ŽS_{{\tilde{h}},h,\beta,a}(r):=\frac{1}{{\tilde{h}}\int_{a}^{a+1/{\tilde{h}}}T_{h,\beta}(x)dx}T_{h,\beta}(a+\frac{r}{{\tilde{h}}})italic_S start_POSTSUBSCRIPT over~ start_ARG italic_h end_ARG , italic_h , italic_Ξ² , italic_a end_POSTSUBSCRIPT ( italic_r ) := divide start_ARG 1 end_ARG start_ARG over~ start_ARG italic_h end_ARG ∫ start_POSTSUBSCRIPT italic_a end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_a + 1 / over~ start_ARG italic_h end_ARG end_POSTSUPERSCRIPT italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT ( italic_x ) italic_d italic_x end_ARG italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT ( italic_a + divide start_ARG italic_r end_ARG start_ARG over~ start_ARG italic_h end_ARG end_ARG )
Sh,Ξ²,a′⁒(r):=Th,β⁒(a+rh)=Qβ⁒(aβ‹…h+r⁒mod⁒1).assignsubscriptsuperscriptπ‘†β€²β„Žπ›½π‘Žπ‘Ÿsubscriptπ‘‡β„Žπ›½π‘Žπ‘Ÿβ„Žsubscriptπ‘„π›½β‹…π‘Žβ„Žπ‘Ÿmod1S^{\prime}_{h,\beta,a}(r):=T_{h,\beta}(a+\frac{r}{h})=Q_{\beta}(a\cdot h+r~{}\mathrm{mod}~{}1).italic_S start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_h , italic_Ξ² , italic_a end_POSTSUBSCRIPT ( italic_r ) := italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT ( italic_a + divide start_ARG italic_r end_ARG start_ARG italic_h end_ARG ) = italic_Q start_POSTSUBSCRIPT italic_Ξ² end_POSTSUBSCRIPT ( italic_a β‹… italic_h + italic_r roman_mod 1 ) .
Claim 6.3

If h≀h~<(1+Ξ΄)⁒hβ„Žnormal-~β„Ž1π›Ώβ„Žh\leq{\tilde{h}}<(1+\delta)hitalic_h ≀ over~ start_ARG italic_h end_ARG < ( 1 + italic_Ξ΄ ) italic_h where hβˆˆβ„€β„Žβ„€h\in{\mathbb{Z}}italic_h ∈ blackboard_Z, h~βˆˆβ„normal-~β„Žβ„{\tilde{h}}\in\mathbb{R}over~ start_ARG italic_h end_ARG ∈ blackboard_R, Ξ΄>0𝛿0\delta>0italic_Ξ΄ > 0 and β≀14𝛽14\beta\leq\frac{1}{4}italic_Ξ² ≀ divide start_ARG 1 end_ARG start_ARG 4 end_ARG then Δ⁒(Sh~,h,Ξ²,a,Sh,Ξ²,aβ€²)≀c~β⁒δnormal-Ξ”subscript𝑆normal-~β„Žβ„Žπ›½π‘Žsubscriptsuperscript𝑆normal-β€²β„Žπ›½π‘Žnormal-~𝑐𝛽𝛿\Delta(S_{{\tilde{h}},h,\beta,a},S^{\prime}_{h,\beta,a})\leq\frac{{\tilde{c}}}{\beta}\deltaroman_Ξ” ( italic_S start_POSTSUBSCRIPT over~ start_ARG italic_h end_ARG , italic_h , italic_Ξ² , italic_a end_POSTSUBSCRIPT , italic_S start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_h , italic_Ξ² , italic_a end_POSTSUBSCRIPT ) ≀ divide start_ARG over~ start_ARG italic_c end_ARG end_ARG start_ARG italic_Ξ² end_ARG italic_Ξ΄.

  • Proof:

    According to ClaimΒ A.2, Th,β⁒(x)=Qβ⁒(h⁒x⁒mod⁒1)≀(1+Ξ²)/β≀2/Ξ²subscriptπ‘‡β„Žπ›½π‘₯subscriptπ‘„π›½β„Žπ‘₯mod11𝛽𝛽2𝛽T_{h,\beta}(x)=Q_{\beta}(hx~{}\mathrm{mod}~{}1)\leq(1+\sqrt{\beta})/\sqrt{\beta}\leq 2/\sqrt{\beta}italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT ( italic_x ) = italic_Q start_POSTSUBSCRIPT italic_Ξ² end_POSTSUBSCRIPT ( italic_h italic_x roman_mod 1 ) ≀ ( 1 + square-root start_ARG italic_Ξ² end_ARG ) / square-root start_ARG italic_Ξ² end_ARG ≀ 2 / square-root start_ARG italic_Ξ² end_ARG for any xβˆˆβ„π‘₯ℝx\in\mathbb{R}italic_x ∈ blackboard_R. Therefore,

    ∫aa+1/hβˆ’βˆ«aa+1/h~Th,β⁒(x)⁒𝑑x≀2β⁒(1hβˆ’1h~)=2Ξ²β‹…h~⁒(h~hβˆ’1)≀2⁒δβ⋅h~superscriptsubscriptπ‘Žπ‘Ž1β„Žsuperscriptsubscriptπ‘Žπ‘Ž1~β„Žsubscriptπ‘‡β„Žπ›½π‘₯differential-dπ‘₯2𝛽1β„Ž1~β„Ž2⋅𝛽~β„Ž~β„Žβ„Ž12𝛿⋅𝛽~β„Ž\displaystyle\int_{a}^{a+1/h}-\int_{a}^{a+1/{\tilde{h}}}T_{h,\beta}(x)dx\leq\frac{2}{\sqrt{\beta}}(\frac{1}{h}-\frac{1}{{\tilde{h}}})=\frac{2}{\sqrt{\beta}\cdot{\tilde{h}}}(\frac{{\tilde{h}}}{h}-1)\leq\frac{2\delta}{\sqrt{\beta}\cdot{\tilde{h}}}∫ start_POSTSUBSCRIPT italic_a end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_a + 1 / italic_h end_POSTSUPERSCRIPT - ∫ start_POSTSUBSCRIPT italic_a end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_a + 1 / over~ start_ARG italic_h end_ARG end_POSTSUPERSCRIPT italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT ( italic_x ) italic_d italic_x ≀ divide start_ARG 2 end_ARG start_ARG square-root start_ARG italic_Ξ² end_ARG end_ARG ( divide start_ARG 1 end_ARG start_ARG italic_h end_ARG - divide start_ARG 1 end_ARG start_ARG over~ start_ARG italic_h end_ARG end_ARG ) = divide start_ARG 2 end_ARG start_ARG square-root start_ARG italic_Ξ² end_ARG β‹… over~ start_ARG italic_h end_ARG end_ARG ( divide start_ARG over~ start_ARG italic_h end_ARG end_ARG start_ARG italic_h end_ARG - 1 ) ≀ divide start_ARG 2 italic_Ξ΄ end_ARG start_ARG square-root start_ARG italic_Ξ² end_ARG β‹… over~ start_ARG italic_h end_ARG end_ARG

    But ∫aa+1/hTh,β⁒(x)⁒𝑑x=1hsuperscriptsubscriptπ‘Žπ‘Ž1β„Žsubscriptπ‘‡β„Žπ›½π‘₯differential-dπ‘₯1β„Ž\int_{a}^{a+1/h}T_{h,\beta}(x)dx=\frac{1}{h}∫ start_POSTSUBSCRIPT italic_a end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_a + 1 / italic_h end_POSTSUPERSCRIPT italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT ( italic_x ) italic_d italic_x = divide start_ARG 1 end_ARG start_ARG italic_h end_ARG and therefore we see that

    h~hβˆ’h~⁒∫aa+1/h~Th,β⁒(x)⁒𝑑x≀2⁒δβ.~β„Žβ„Ž~β„Žsuperscriptsubscriptπ‘Žπ‘Ž1~β„Žsubscriptπ‘‡β„Žπ›½π‘₯differential-dπ‘₯2𝛿𝛽\frac{{\tilde{h}}}{h}-{\tilde{h}}\int_{a}^{a+1/{\tilde{h}}}T_{h,\beta}(x)dx\leq\frac{2\delta}{\sqrt{\beta}}.divide start_ARG over~ start_ARG italic_h end_ARG end_ARG start_ARG italic_h end_ARG - over~ start_ARG italic_h end_ARG ∫ start_POSTSUBSCRIPT italic_a end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_a + 1 / over~ start_ARG italic_h end_ARG end_POSTSUPERSCRIPT italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT ( italic_x ) italic_d italic_x ≀ divide start_ARG 2 italic_Ξ΄ end_ARG start_ARG square-root start_ARG italic_Ξ² end_ARG end_ARG .

    Let Sh~,h,Ξ²,a′′⁒(r):=Th,β⁒(a+r/h~)assignsubscriptsuperscript𝑆′′~β„Žβ„Žπ›½π‘Žπ‘Ÿsubscriptπ‘‡β„Žπ›½π‘Žπ‘Ÿ~β„ŽS^{\prime\prime}_{{\tilde{h}},h,\beta,a}(r):=T_{h,\beta}(a+r/{\tilde{h}})italic_S start_POSTSUPERSCRIPT β€² β€² end_POSTSUPERSCRIPT start_POSTSUBSCRIPT over~ start_ARG italic_h end_ARG , italic_h , italic_Ξ² , italic_a end_POSTSUBSCRIPT ( italic_r ) := italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT ( italic_a + italic_r / over~ start_ARG italic_h end_ARG ). Then,

    ∫01|Sh~,h,Ξ²,a⁒(r)βˆ’Sh~,h,Ξ²,a′′⁒(r)|⁒𝑑r=|1βˆ’h~⁒∫aa+1/h~Th,β⁒(x)⁒𝑑x|β‹…βˆ«01Sh~,h,Ξ²,a⁒(r)⁒𝑑r=superscriptsubscript01subscript𝑆~β„Žβ„Žπ›½π‘Žπ‘Ÿsubscriptsuperscript𝑆′′~β„Žβ„Žπ›½π‘Žπ‘Ÿdifferential-dπ‘Ÿβ‹…1~β„Žsuperscriptsubscriptπ‘Žπ‘Ž1~β„Žsubscriptπ‘‡β„Žπ›½π‘₯differential-dπ‘₯superscriptsubscript01subscript𝑆~β„Žβ„Žπ›½π‘Žπ‘Ÿdifferential-dπ‘Ÿabsent\displaystyle\int_{0}^{1}{\left|{S_{{\tilde{h}},h,\beta,a}(r)-S^{\prime\prime}_{{\tilde{h}},h,\beta,a}(r)}\right|}dr={\left|{1-{\tilde{h}}\int_{a}^{a+1/{\tilde{h}}}T_{h,\beta}(x)dx}\right|}\cdot\int_{0}^{1}S_{{\tilde{h}},h,\beta,a}(r)dr=∫ start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT 1 end_POSTSUPERSCRIPT | italic_S start_POSTSUBSCRIPT over~ start_ARG italic_h end_ARG , italic_h , italic_Ξ² , italic_a end_POSTSUBSCRIPT ( italic_r ) - italic_S start_POSTSUPERSCRIPT β€² β€² end_POSTSUPERSCRIPT start_POSTSUBSCRIPT over~ start_ARG italic_h end_ARG , italic_h , italic_Ξ² , italic_a end_POSTSUBSCRIPT ( italic_r ) | italic_d italic_r = | 1 - over~ start_ARG italic_h end_ARG ∫ start_POSTSUBSCRIPT italic_a end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_a + 1 / over~ start_ARG italic_h end_ARG end_POSTSUPERSCRIPT italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT ( italic_x ) italic_d italic_x | β‹… ∫ start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT 1 end_POSTSUPERSCRIPT italic_S start_POSTSUBSCRIPT over~ start_ARG italic_h end_ARG , italic_h , italic_Ξ² , italic_a end_POSTSUBSCRIPT ( italic_r ) italic_d italic_r =
    |1βˆ’h~⁒∫aa+1/h~Th,β⁒(x)⁒𝑑x|≀|1βˆ’h~h|+|h~hβˆ’h~⁒∫aa+1/h~Th,β⁒(x)⁒𝑑x|≀(1+2Ξ²)⁒δ1~β„Žsuperscriptsubscriptπ‘Žπ‘Ž1~β„Žsubscriptπ‘‡β„Žπ›½π‘₯differential-dπ‘₯1~β„Žβ„Ž~β„Žβ„Ž~β„Žsuperscriptsubscriptπ‘Žπ‘Ž1~β„Žsubscriptπ‘‡β„Žπ›½π‘₯differential-dπ‘₯12𝛽𝛿\displaystyle{\left|{1-{\tilde{h}}\int_{a}^{a+1/{\tilde{h}}}T_{h,\beta}(x)dx}\right|}\leq{\left|{1-\frac{{\tilde{h}}}{h}}\right|}+{\left|{\frac{{\tilde{h}}}{h}-{\tilde{h}}\int_{a}^{a+1/{\tilde{h}}}T_{h,\beta}(x)dx}\right|}\leq(1+\frac{2}{\sqrt{\beta}})\delta| 1 - over~ start_ARG italic_h end_ARG ∫ start_POSTSUBSCRIPT italic_a end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_a + 1 / over~ start_ARG italic_h end_ARG end_POSTSUPERSCRIPT italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT ( italic_x ) italic_d italic_x | ≀ | 1 - divide start_ARG over~ start_ARG italic_h end_ARG end_ARG start_ARG italic_h end_ARG | + | divide start_ARG over~ start_ARG italic_h end_ARG end_ARG start_ARG italic_h end_ARG - over~ start_ARG italic_h end_ARG ∫ start_POSTSUBSCRIPT italic_a end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_a + 1 / over~ start_ARG italic_h end_ARG end_POSTSUPERSCRIPT italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT ( italic_x ) italic_d italic_x | ≀ ( 1 + divide start_ARG 2 end_ARG start_ARG square-root start_ARG italic_Ξ² end_ARG end_ARG ) italic_Ξ΄

    Now, using the mean value theorem for any r∈[0,1)π‘Ÿ01r\in[0,1)italic_r ∈ [ 0 , 1 ),

    |Sh,Ξ²,a′⁒(r)βˆ’Sh~,h,Ξ²,a′′⁒(r)|≀(1hβˆ’1h~)⁒maxx⁑|dd⁒x⁒Th,β⁒(x)|=(1hβˆ’1h~)⁒maxx⁑|dd⁒xβ’βˆ‘k=βˆ’βˆžβˆž1β⁒eβˆ’Ο€β’(hβ⁒xβˆ’1β⁒k)2|subscriptsuperscriptπ‘†β€²β„Žπ›½π‘Žπ‘Ÿsubscriptsuperscript𝑆′′~β„Žβ„Žπ›½π‘Žπ‘Ÿ1β„Ž1~β„Žsubscriptπ‘₯𝑑𝑑π‘₯subscriptπ‘‡β„Žπ›½π‘₯1β„Ž1~β„Žsubscriptπ‘₯𝑑𝑑π‘₯superscriptsubscriptπ‘˜1𝛽superscriptπ‘’πœ‹superscriptβ„Žπ›½π‘₯1π›½π‘˜2{\left|{S^{\prime}_{h,\beta,a}(r)-S^{\prime\prime}_{{\tilde{h}},h,\beta,a}(r)}\right|}\leq(\frac{1}{h}-\frac{1}{{\tilde{h}}})\max_{x}{\left|{\frac{d}{dx}T_{h,\beta}(x)}\right|}=(\frac{1}{h}-\frac{1}{{\tilde{h}}})\max_{x}{\left|{\frac{d}{dx}\sum_{k=-\infty}^{\infty}\frac{1}{\sqrt{\beta}}e^{-\pi(\frac{h}{\sqrt{\beta}}x-\frac{1}{\sqrt{\beta}}k)^{2}}}\right|}| italic_S start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_h , italic_Ξ² , italic_a end_POSTSUBSCRIPT ( italic_r ) - italic_S start_POSTSUPERSCRIPT β€² β€² end_POSTSUPERSCRIPT start_POSTSUBSCRIPT over~ start_ARG italic_h end_ARG , italic_h , italic_Ξ² , italic_a end_POSTSUBSCRIPT ( italic_r ) | ≀ ( divide start_ARG 1 end_ARG start_ARG italic_h end_ARG - divide start_ARG 1 end_ARG start_ARG over~ start_ARG italic_h end_ARG end_ARG ) roman_max start_POSTSUBSCRIPT italic_x end_POSTSUBSCRIPT | divide start_ARG italic_d end_ARG start_ARG italic_d italic_x end_ARG italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT ( italic_x ) | = ( divide start_ARG 1 end_ARG start_ARG italic_h end_ARG - divide start_ARG 1 end_ARG start_ARG over~ start_ARG italic_h end_ARG end_ARG ) roman_max start_POSTSUBSCRIPT italic_x end_POSTSUBSCRIPT | divide start_ARG italic_d end_ARG start_ARG italic_d italic_x end_ARG βˆ‘ start_POSTSUBSCRIPT italic_k = - ∞ end_POSTSUBSCRIPT start_POSTSUPERSCRIPT ∞ end_POSTSUPERSCRIPT divide start_ARG 1 end_ARG start_ARG square-root start_ARG italic_Ξ² end_ARG end_ARG italic_e start_POSTSUPERSCRIPT - italic_Ο€ ( divide start_ARG italic_h end_ARG start_ARG square-root start_ARG italic_Ξ² end_ARG end_ARG italic_x - divide start_ARG 1 end_ARG start_ARG square-root start_ARG italic_Ξ² end_ARG end_ARG italic_k ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT |

    which, according to ClaimΒ A.3 using 1Ξ²β‰₯2>12⁒π+11𝛽212πœ‹1\frac{1}{\sqrt{\beta}}\geq 2>\frac{1}{\sqrt{2\pi}}+1divide start_ARG 1 end_ARG start_ARG square-root start_ARG italic_Ξ² end_ARG end_ARG β‰₯ 2 > divide start_ARG 1 end_ARG start_ARG square-root start_ARG 2 italic_Ο€ end_ARG end_ARG + 1, is at most

    (1hβˆ’1h~)β‹…c~Ξ²β‹…hΞ²=c~β⁒(1βˆ’hh~)≀c~β⁒δ.β‹…1β„Ž1~β„Ž~π‘π›½β„Žπ›½~𝑐𝛽1β„Ž~β„Ž~𝑐𝛽𝛿(\frac{1}{h}-\frac{1}{{\tilde{h}}})\cdot\frac{{\tilde{c}}}{\sqrt{\beta}}\cdot\frac{h}{\sqrt{\beta}}=\frac{{\tilde{c}}}{\beta}(1-\frac{h}{{\tilde{h}}})\leq\frac{{\tilde{c}}}{\beta}\delta.( divide start_ARG 1 end_ARG start_ARG italic_h end_ARG - divide start_ARG 1 end_ARG start_ARG over~ start_ARG italic_h end_ARG end_ARG ) β‹… divide start_ARG over~ start_ARG italic_c end_ARG end_ARG start_ARG square-root start_ARG italic_Ξ² end_ARG end_ARG β‹… divide start_ARG italic_h end_ARG start_ARG square-root start_ARG italic_Ξ² end_ARG end_ARG = divide start_ARG over~ start_ARG italic_c end_ARG end_ARG start_ARG italic_Ξ² end_ARG ( 1 - divide start_ARG italic_h end_ARG start_ARG over~ start_ARG italic_h end_ARG end_ARG ) ≀ divide start_ARG over~ start_ARG italic_c end_ARG end_ARG start_ARG italic_Ξ² end_ARG italic_Ξ΄ .

    To sum up,

    2⁒Δ⁒(Sh~,h,Ξ²,a,Sh,Ξ²,aβ€²)2Ξ”subscript𝑆~β„Žβ„Žπ›½π‘Žsubscriptsuperscriptπ‘†β€²β„Žπ›½π‘Ž\displaystyle 2\Delta(S_{{\tilde{h}},h,\beta,a},S^{\prime}_{h,\beta,a})2 roman_Ξ” ( italic_S start_POSTSUBSCRIPT over~ start_ARG italic_h end_ARG , italic_h , italic_Ξ² , italic_a end_POSTSUBSCRIPT , italic_S start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_h , italic_Ξ² , italic_a end_POSTSUBSCRIPT ) ≀\displaystyle\leq≀ ∫01|Sh~,h,Ξ²,a⁒(r)βˆ’Sh~,h,Ξ²,a′′⁒(r)|⁒𝑑r+∫01|Sh,Ξ²,a′⁒(r)βˆ’Sh~,h,Ξ²,a′′⁒(r)|⁒𝑑rsuperscriptsubscript01subscript𝑆~β„Žβ„Žπ›½π‘Žπ‘Ÿsubscriptsuperscript𝑆′′~β„Žβ„Žπ›½π‘Žπ‘Ÿdifferential-dπ‘Ÿsuperscriptsubscript01subscriptsuperscriptπ‘†β€²β„Žπ›½π‘Žπ‘Ÿsubscriptsuperscript𝑆′′~β„Žβ„Žπ›½π‘Žπ‘Ÿdifferential-dπ‘Ÿ\displaystyle\int_{0}^{1}{\left|{S_{{\tilde{h}},h,\beta,a}(r)-S^{\prime\prime}_{{\tilde{h}},h,\beta,a}(r)}\right|}dr+\int_{0}^{1}{\left|{S^{\prime}_{h,\beta,a}(r)-S^{\prime\prime}_{{\tilde{h}},h,\beta,a}(r)}\right|}dr∫ start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT 1 end_POSTSUPERSCRIPT | italic_S start_POSTSUBSCRIPT over~ start_ARG italic_h end_ARG , italic_h , italic_Ξ² , italic_a end_POSTSUBSCRIPT ( italic_r ) - italic_S start_POSTSUPERSCRIPT β€² β€² end_POSTSUPERSCRIPT start_POSTSUBSCRIPT over~ start_ARG italic_h end_ARG , italic_h , italic_Ξ² , italic_a end_POSTSUBSCRIPT ( italic_r ) | italic_d italic_r + ∫ start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT 1 end_POSTSUPERSCRIPT | italic_S start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_h , italic_Ξ² , italic_a end_POSTSUBSCRIPT ( italic_r ) - italic_S start_POSTSUPERSCRIPT β€² β€² end_POSTSUPERSCRIPT start_POSTSUBSCRIPT over~ start_ARG italic_h end_ARG , italic_h , italic_Ξ² , italic_a end_POSTSUBSCRIPT ( italic_r ) | italic_d italic_r
    ≀\displaystyle\leq≀ (c~Ξ²+1+2Ξ²)⁒δ≀c~β⁒δ.~𝑐𝛽12𝛽𝛿~𝑐𝛽𝛿\displaystyle(\frac{{\tilde{c}}}{\beta}+1+\frac{2}{\sqrt{\beta}})\delta\leq\frac{{\tilde{c}}}{\beta}\delta.( divide start_ARG over~ start_ARG italic_c end_ARG end_ARG start_ARG italic_Ξ² end_ARG + 1 + divide start_ARG 2 end_ARG start_ARG square-root start_ARG italic_Ξ² end_ARG end_ARG ) italic_Ξ΄ ≀ divide start_ARG over~ start_ARG italic_c end_ARG end_ARG start_ARG italic_Ξ² end_ARG italic_Ξ΄ .

    Β 

Theorem 6.4

For c𝖭β‰₯2⁒c𝗁subscript𝑐𝖭2subscript𝑐𝗁{c_{\sf{N}}}\geq 2{c_{\sf{h}}}italic_c start_POSTSUBSCRIPT sansserif_N end_POSTSUBSCRIPT β‰₯ 2 italic_c start_POSTSUBSCRIPT sansserif_h end_POSTSUBSCRIPT and any c𝗆β‰₯0subscript𝑐𝗆0{c_{\sf{m}}}\geq 0italic_c start_POSTSUBSCRIPT sansserif_m end_POSTSUBSCRIPT β‰₯ 0, if there exists an algorithm π’œπ’œ{\cal A}caligraphic_A that given a list a1,…,am∈{0,1,…,Nβˆ’1}subscriptπ‘Ž1normal-…subscriptπ‘Žπ‘š01normal-…𝑁1a_{1},\ldots,a_{m}\in\{0,1,\ldots,N-1\}italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT ∈ { 0 , 1 , … , italic_N - 1 } finds a nonzero vector bβˆˆβ„€m𝑏superscriptβ„€π‘šb\in{\mathbb{Z}}^{m}italic_b ∈ blackboard_Z start_POSTSUPERSCRIPT italic_m end_POSTSUPERSCRIPT such that β€–b‖≀mnormπ‘π‘š\|b\|\leq\sqrt{m}βˆ₯ italic_b βˆ₯ ≀ square-root start_ARG italic_m end_ARG and βˆ‘i=1mbi⁒ai≑0⁒(mod⁒N)superscriptsubscript𝑖1π‘šsubscript𝑏𝑖subscriptπ‘Žπ‘–0normal-mod𝑁\sum_{i=1}^{m}b_{i}a_{i}\equiv 0(\mathrm{mod}~{}N)βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_m end_POSTSUPERSCRIPT italic_b start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ≑ 0 ( roman_mod italic_N ) with probability at least nβˆ’c𝖺superscript𝑛subscript𝑐𝖺n^{-{c_{\sf{a}}}}italic_n start_POSTSUPERSCRIPT - italic_c start_POSTSUBSCRIPT sansserif_a end_POSTSUBSCRIPT end_POSTSUPERSCRIPT where c𝖺>0subscript𝑐𝖺0{c_{\sf{a}}}>0italic_c start_POSTSUBSCRIPT sansserif_a end_POSTSUBSCRIPT > 0 is some constant then there exists a solution to n⋅γ⁒(n)normal-⋅𝑛𝛾𝑛\sqrt{n}\cdot\gamma(n)square-root start_ARG italic_n end_ARG β‹… italic_Ξ³ ( italic_n )-uSVP.

Note that in particular, if b∈{βˆ’1,0,1}m𝑏superscript101π‘šb\in\{-1,0,1\}^{m}italic_b ∈ { - 1 , 0 , 1 } start_POSTSUPERSCRIPT italic_m end_POSTSUPERSCRIPT then β€–b‖≀mnormπ‘π‘š\|b\|\leq\sqrt{m}βˆ₯ italic_b βˆ₯ ≀ square-root start_ARG italic_m end_ARG and hence this theorem includes collision finding algorithms.

  • Proof:

    According to TheoremΒ 4.1 it is enough to construct a distinguisher ℬℬ{\cal B}caligraphic_B between Uπ‘ˆUitalic_U and 𝒯n,n⋅γ⁒(n)subscript𝒯𝑛⋅𝑛𝛾𝑛{\cal T}_{n,\sqrt{n}\cdot\gamma(n)}caligraphic_T start_POSTSUBSCRIPT italic_n , square-root start_ARG italic_n end_ARG β‹… italic_Ξ³ ( italic_n ) end_POSTSUBSCRIPT. The distinguisher ℬℬ{\cal B}caligraphic_B works by calling the routine π’žπ’ž{\cal C}caligraphic_C described below n𝑛nitalic_n times with each value h~=(1+nβˆ’c𝗁~)i~β„Žsuperscript1superscript𝑛subscript𝑐~𝗁𝑖{\tilde{h}}=(1+n^{-{c_{\sf{{\tilde{h}}}}}})^{i}over~ start_ARG italic_h end_ARG = ( 1 + italic_n start_POSTSUPERSCRIPT - italic_c start_POSTSUBSCRIPT over~ start_ARG sansserif_h end_ARG end_POSTSUBSCRIPT end_POSTSUPERSCRIPT ) start_POSTSUPERSCRIPT italic_i end_POSTSUPERSCRIPT, i∈[log1+nβˆ’c𝗁~⁑N]𝑖delimited-[]subscript1superscript𝑛subscript𝑐~𝗁𝑁i\in[\log_{1+n^{-{c_{\sf{{\tilde{h}}}}}}}N]italic_i ∈ [ roman_log start_POSTSUBSCRIPT 1 + italic_n start_POSTSUPERSCRIPT - italic_c start_POSTSUBSCRIPT over~ start_ARG sansserif_h end_ARG end_POSTSUBSCRIPT end_POSTSUPERSCRIPT end_POSTSUBSCRIPT italic_N ]. The constant c𝗁~subscript𝑐~𝗁{c_{\sf{{\tilde{h}}}}}italic_c start_POSTSUBSCRIPT over~ start_ARG sansserif_h end_ARG end_POSTSUBSCRIPT will be specified later. If there exists an h~~β„Ž{\tilde{h}}over~ start_ARG italic_h end_ARG for which all n𝑛nitalic_n calls to π’žπ’ž{\cal C}caligraphic_C accept, ℬℬ{\cal B}caligraphic_B accepts. Otherwise, for any h~~β„Ž{\tilde{h}}over~ start_ARG italic_h end_ARG there exists one call where π’žπ’ž{\cal C}caligraphic_C rejects and ℬℬ{\cal B}caligraphic_B rejects.

    The routine π’žβ’(h~)π’ž~β„Ž{\cal C}({\tilde{h}})caligraphic_C ( over~ start_ARG italic_h end_ARG ) samples mπ‘šmitalic_m values x1,…,xmsubscriptπ‘₯1…subscriptπ‘₯π‘šx_{1},\ldots,x_{m}italic_x start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_x start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT from the given distribution which we denote by R𝑅Ritalic_R. It also chooses mπ‘šmitalic_m values y1,…,ymsubscript𝑦1…subscriptπ‘¦π‘šy_{1},\ldots,y_{m}italic_y start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_y start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT uniformly in [0,1/h~)01~β„Ž[0,1/{\tilde{h}})[ 0 , 1 / over~ start_ARG italic_h end_ARG ). Let zi=xiβˆ’yi⁒mod⁒1subscript𝑧𝑖subscriptπ‘₯𝑖subscript𝑦𝑖mod1z_{i}=x_{i}-y_{i}~{}\mathrm{mod}~{}1italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT = italic_x start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT - italic_y start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT roman_mod 1 and ai=⌊Nβ‹…ziβŒ‹subscriptπ‘Žπ‘–β‹…π‘subscript𝑧𝑖a_{i}={\lfloor N\cdot z_{i}\rfloor}italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT = ⌊ italic_N β‹… italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT βŒ‹. We call π’œπ’œ{\cal A}caligraphic_A with a1,…,amsubscriptπ‘Ž1…subscriptπ‘Žπ‘ša_{1},\ldots,a_{m}italic_a start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT. If A𝐴Aitalic_A fails we repeat the process again (choosing xi,yisubscriptπ‘₯𝑖subscript𝑦𝑖x_{i},y_{i}italic_x start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , italic_y start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT and calling π’œπ’œ{\cal A}caligraphic_A). If after nc𝖺+1superscript𝑛subscript𝑐𝖺1n^{{c_{\sf{a}}}+1}italic_n start_POSTSUPERSCRIPT italic_c start_POSTSUBSCRIPT sansserif_a end_POSTSUBSCRIPT + 1 end_POSTSUPERSCRIPT calls π’œπ’œ{\cal A}caligraphic_A still fails, π’žπ’ž{\cal C}caligraphic_C accepts. Otherwise, we have a vector bβˆˆβ„€m𝑏superscriptβ„€π‘šb\in{\mathbb{Z}}^{m}italic_b ∈ blackboard_Z start_POSTSUPERSCRIPT italic_m end_POSTSUPERSCRIPT such that β€–b‖≀mnormπ‘π‘š\|b\|\leq\sqrt{m}βˆ₯ italic_b βˆ₯ ≀ square-root start_ARG italic_m end_ARG and βˆ‘i=1mbi⁒ai≑0⁒(mod⁒N)superscriptsubscript𝑖1π‘šsubscript𝑏𝑖subscriptπ‘Žπ‘–0mod𝑁\sum_{i=1}^{m}b_{i}a_{i}\equiv 0(\mathrm{mod}~{}N)βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_m end_POSTSUPERSCRIPT italic_b start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ≑ 0 ( roman_mod italic_N ). The routine π’žβ’(h~)π’ž~β„Ž{\cal C}({\tilde{h}})caligraphic_C ( over~ start_ARG italic_h end_ARG ) accepts if frc⁒(βˆ‘i=1mbi⁒h~⁒yi)<14frcsuperscriptsubscript𝑖1π‘šsubscript𝑏𝑖~β„Žsubscript𝑦𝑖14\mathrm{frc}(\sum_{i=1}^{m}b_{i}{\tilde{h}}y_{i})<\frac{1}{4}roman_frc ( βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_m end_POSTSUPERSCRIPT italic_b start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT over~ start_ARG italic_h end_ARG italic_y start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ) < divide start_ARG 1 end_ARG start_ARG 4 end_ARG and rejects otherwise.

    First we show that if R𝑅Ritalic_R is the uniform distribution then for any h~~β„Ž{\tilde{h}}over~ start_ARG italic_h end_ARG, π’žβ’(h~)π’ž~β„Ž{\cal C}({\tilde{h}})caligraphic_C ( over~ start_ARG italic_h end_ARG ) accepts with probability roughly 1212\frac{1}{2}divide start_ARG 1 end_ARG start_ARG 2 end_ARG. From this it will follow that the probability that n𝑛nitalic_n calls to π’žβ’(h~)π’ž~β„Ž{\cal C}({\tilde{h}})caligraphic_C ( over~ start_ARG italic_h end_ARG ) accept is exponentially small, i.e., ℬℬ{\cal B}caligraphic_B rejects with probability exponentially close to 1111. Each number xisubscriptπ‘₯𝑖x_{i}italic_x start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT is uniform in [0,1)01[0,1)[ 0 , 1 ) and so is zisubscript𝑧𝑖z_{i}italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT. Therefore, each aisubscriptπ‘Žπ‘–a_{i}italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT is uniform in {0,1,…,Nβˆ’1}01…𝑁1\{0,1,\ldots,N-1\}{ 0 , 1 , … , italic_N - 1 } and according to our assumption, π’œπ’œ{\cal A}caligraphic_A succeeds with probability at least nβˆ’c𝖺superscript𝑛subscript𝑐𝖺n^{-{c_{\sf{a}}}}italic_n start_POSTSUPERSCRIPT - italic_c start_POSTSUBSCRIPT sansserif_a end_POSTSUBSCRIPT end_POSTSUPERSCRIPT. The probability that nc𝖺+1superscript𝑛subscript𝑐𝖺1n^{{c_{\sf{a}}}+1}italic_n start_POSTSUPERSCRIPT italic_c start_POSTSUBSCRIPT sansserif_a end_POSTSUBSCRIPT + 1 end_POSTSUPERSCRIPT calls fail is at most (1βˆ’nβˆ’c𝖺)nc𝖺+1<eβˆ’nsuperscript1superscript𝑛subscript𝑐𝖺superscript𝑛subscript𝑐𝖺1superscript𝑒𝑛(1-n^{-{c_{\sf{a}}}})^{n^{{c_{\sf{a}}}+1}}<e^{-n}( 1 - italic_n start_POSTSUPERSCRIPT - italic_c start_POSTSUBSCRIPT sansserif_a end_POSTSUBSCRIPT end_POSTSUPERSCRIPT ) start_POSTSUPERSCRIPT italic_n start_POSTSUPERSCRIPT italic_c start_POSTSUBSCRIPT sansserif_a end_POSTSUBSCRIPT + 1 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT < italic_e start_POSTSUPERSCRIPT - italic_n end_POSTSUPERSCRIPT which is exponentially small. In order to bound the probability that frc⁒(βˆ‘i=1mbi⁒h~⁒yi)<14frcsuperscriptsubscript𝑖1π‘šsubscript𝑏𝑖~β„Žsubscript𝑦𝑖14\mathrm{frc}(\sum_{i=1}^{m}b_{i}{\tilde{h}}y_{i})<\frac{1}{4}roman_frc ( βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_m end_POSTSUPERSCRIPT italic_b start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT over~ start_ARG italic_h end_ARG italic_y start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ) < divide start_ARG 1 end_ARG start_ARG 4 end_ARG we use the fact that π’œπ’œ{\cal A}caligraphic_A is oblivious to the decomposition of the zisubscript𝑧𝑖z_{i}italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT’s into xiβˆ’yisubscriptπ‘₯𝑖subscript𝑦𝑖x_{i}-y_{i}italic_x start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT - italic_y start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT and would work equally well if zi=xiβ€²βˆ’yiβ€²subscript𝑧𝑖superscriptsubscriptπ‘₯𝑖′superscriptsubscript𝑦𝑖′z_{i}=x_{i}^{\prime}-y_{i}^{\prime}italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT = italic_x start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT - italic_y start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT for some other xiβ€²superscriptsubscriptπ‘₯𝑖′x_{i}^{\prime}italic_x start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT,yiβ€²superscriptsubscript𝑦𝑖′y_{i}^{\prime}italic_y start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT. Consider the following equivalent way to create the joint distribution of xi,yi,zisubscriptπ‘₯𝑖subscript𝑦𝑖subscript𝑧𝑖x_{i},y_{i},z_{i}italic_x start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , italic_y start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT: we first choose the zisubscript𝑧𝑖z_{i}italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT’s uniformly in [0,1)01[0,1)[ 0 , 1 ) and then choose yisubscript𝑦𝑖y_{i}italic_y start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT uniformly in [0,1/h~)01~β„Ž[0,1/{\tilde{h}})[ 0 , 1 / over~ start_ARG italic_h end_ARG ) and choose xisubscriptπ‘₯𝑖x_{i}italic_x start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT to be zi+yi⁒mod⁒1subscript𝑧𝑖subscript𝑦𝑖mod1z_{i}+y_{i}~{}\mathrm{mod}~{}1italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT + italic_y start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT roman_mod 1. Hence, conditioned on any values for the zisubscript𝑧𝑖z_{i}italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT’s, the distribution of the yisubscript𝑦𝑖y_{i}italic_y start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT’s is uniform in [0,1/h~)01~β„Ž[0,1/{\tilde{h}})[ 0 , 1 / over~ start_ARG italic_h end_ARG ) and therefore frc⁒(βˆ‘i=1mbi⁒h~⁒yi)frcsuperscriptsubscript𝑖1π‘šsubscript𝑏𝑖~β„Žsubscript𝑦𝑖\mathrm{frc}(\sum_{i=1}^{m}b_{i}{\tilde{h}}y_{i})roman_frc ( βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_m end_POSTSUPERSCRIPT italic_b start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT over~ start_ARG italic_h end_ARG italic_y start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ) is distributed uniformly in [0,12)012[0,\frac{1}{2})[ 0 , divide start_ARG 1 end_ARG start_ARG 2 end_ARG ). The probability that frc⁒(βˆ‘i=1mbi⁒h~⁒yi)<14frcsuperscriptsubscript𝑖1π‘šsubscript𝑏𝑖~β„Žsubscript𝑦𝑖14\mathrm{frc}(\sum_{i=1}^{m}b_{i}{\tilde{h}}y_{i})<\frac{1}{4}roman_frc ( βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_m end_POSTSUPERSCRIPT italic_b start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT over~ start_ARG italic_h end_ARG italic_y start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ) < divide start_ARG 1 end_ARG start_ARG 4 end_ARG is therefore 1212\frac{1}{2}divide start_ARG 1 end_ARG start_ARG 2 end_ARG, as required.

    Now consider the case that R𝑅Ritalic_R is Th,Ξ²subscriptπ‘‡β„Žπ›½T_{h,\beta}italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT where β≀4(γ⁒(n))2𝛽4superscript𝛾𝑛2\beta\leq\frac{4}{(\gamma(n))^{2}}italic_Ξ² ≀ divide start_ARG 4 end_ARG start_ARG ( italic_Ξ³ ( italic_n ) ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG. We claim that when h~~β„Ž{\tilde{h}}over~ start_ARG italic_h end_ARG is the smallest such that h~β‰₯h~β„Žβ„Ž{\tilde{h}}\geq hover~ start_ARG italic_h end_ARG β‰₯ italic_h, π’žβ’(h~)π’ž~β„Ž{\cal C}({\tilde{h}})caligraphic_C ( over~ start_ARG italic_h end_ARG ) rejects with probability at most c~⁒m⁒n2⁒cΞ³βˆ’c𝗁~~π‘π‘šsuperscript𝑛2subscript𝑐𝛾subscript𝑐~𝗁{\tilde{c}}mn^{2{c_{\sf{\gamma}}}-{c_{\sf{{\tilde{h}}}}}}over~ start_ARG italic_c end_ARG italic_m italic_n start_POSTSUPERSCRIPT 2 italic_c start_POSTSUBSCRIPT italic_Ξ³ end_POSTSUBSCRIPT - italic_c start_POSTSUBSCRIPT over~ start_ARG sansserif_h end_ARG end_POSTSUBSCRIPT end_POSTSUPERSCRIPT. Therefore, the probability that ℬℬ{\cal B}caligraphic_B sees a rejection after n𝑛nitalic_n calls is at most c~⁒m⁒n2⁒cΞ³βˆ’c𝗁~+1~π‘π‘šsuperscript𝑛2subscript𝑐𝛾subscript𝑐~𝗁1{\tilde{c}}mn^{2{c_{\sf{\gamma}}}-{c_{\sf{{\tilde{h}}}}}+1}over~ start_ARG italic_c end_ARG italic_m italic_n start_POSTSUPERSCRIPT 2 italic_c start_POSTSUBSCRIPT italic_Ξ³ end_POSTSUBSCRIPT - italic_c start_POSTSUBSCRIPT over~ start_ARG sansserif_h end_ARG end_POSTSUBSCRIPT + 1 end_POSTSUPERSCRIPT and it therefore accepts with probability close to 1111 if we choose a large enough c𝗁~subscript𝑐~𝗁{c_{\sf{{\tilde{h}}}}}italic_c start_POSTSUBSCRIPT over~ start_ARG sansserif_h end_ARG end_POSTSUBSCRIPT. Notice that such an h~~β„Ž{\tilde{h}}over~ start_ARG italic_h end_ARG satisfies h≀h~<(1+nβˆ’c𝗁~)⁒hβ„Ž~β„Ž1superscript𝑛subscript𝑐~π—β„Žh\leq{\tilde{h}}<(1+n^{-{c_{\sf{{\tilde{h}}}}}})hitalic_h ≀ over~ start_ARG italic_h end_ARG < ( 1 + italic_n start_POSTSUPERSCRIPT - italic_c start_POSTSUBSCRIPT over~ start_ARG sansserif_h end_ARG end_POSTSUBSCRIPT end_POSTSUPERSCRIPT ) italic_h. As before, we create the joint distribution of xi,yi,zisubscriptπ‘₯𝑖subscript𝑦𝑖subscript𝑧𝑖x_{i},y_{i},z_{i}italic_x start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , italic_y start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT by first choosing zisubscript𝑧𝑖z_{i}italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT and then yisubscript𝑦𝑖y_{i}italic_y start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT. This would allow us to use the fact that π’œπ’œ{\cal A}caligraphic_A is oblivious to the decomposition of zisubscript𝑧𝑖z_{i}italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT to xiβˆ’yisubscriptπ‘₯𝑖subscript𝑦𝑖x_{i}-y_{i}italic_x start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT - italic_y start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT. So we first choose the zisubscript𝑧𝑖z_{i}italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT’s from their unconditional distribution and then consider the distribution of yisubscript𝑦𝑖y_{i}italic_y start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT conditioned on zisubscript𝑧𝑖z_{i}italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT given by:

    1∫zizi+1/h~Th,β⁒(x)⁒𝑑x⁒Th,β⁒(zi+r)βˆ€r∈[0,1h~).1superscriptsubscriptsubscript𝑧𝑖subscript𝑧𝑖1~β„Žsubscriptπ‘‡β„Žπ›½π‘₯differential-dπ‘₯subscriptπ‘‡β„Žπ›½subscriptπ‘§π‘–π‘Ÿfor-allπ‘Ÿ01~β„Ž\frac{1}{\int_{z_{i}}^{z_{i}+1/{\tilde{h}}}T_{h,\beta}(x)dx}T_{h,\beta}(z_{i}+r)\quad\forall r\in[0,\frac{1}{{\tilde{h}}}).divide start_ARG 1 end_ARG start_ARG ∫ start_POSTSUBSCRIPT italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT + 1 / over~ start_ARG italic_h end_ARG end_POSTSUPERSCRIPT italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT ( italic_x ) italic_d italic_x end_ARG italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT ( italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT + italic_r ) βˆ€ italic_r ∈ [ 0 , divide start_ARG 1 end_ARG start_ARG over~ start_ARG italic_h end_ARG end_ARG ) .

    Hence the density function of the distribution of h~β‹…yiβ‹…~β„Žsubscript𝑦𝑖{\tilde{h}}\cdot y_{i}over~ start_ARG italic_h end_ARG β‹… italic_y start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT is exactly Sh~,h,Ξ²,zisubscript𝑆~β„Žβ„Žπ›½subscript𝑧𝑖S_{{\tilde{h}},h,\beta,z_{i}}italic_S start_POSTSUBSCRIPT over~ start_ARG italic_h end_ARG , italic_h , italic_Ξ² , italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT end_POSTSUBSCRIPT. According to ClaimΒ 6.3 the statistical distance between Sh~,h,Ξ²,zisubscript𝑆~β„Žβ„Žπ›½subscript𝑧𝑖S_{{\tilde{h}},h,\beta,z_{i}}italic_S start_POSTSUBSCRIPT over~ start_ARG italic_h end_ARG , italic_h , italic_Ξ² , italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT end_POSTSUBSCRIPT and Sh,Ξ²,ziβ€²subscriptsuperscriptπ‘†β€²β„Žπ›½subscript𝑧𝑖S^{\prime}_{h,\beta,z_{i}}italic_S start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_h , italic_Ξ² , italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT end_POSTSUBSCRIPT is at most c~β⁒nβˆ’c𝗁~≀c~⁒n2⁒cΞ³βˆ’c𝗁~~𝑐𝛽superscript𝑛subscript𝑐~𝗁~𝑐superscript𝑛2subscript𝑐𝛾subscript𝑐~𝗁\frac{{\tilde{c}}}{\beta}n^{-{c_{\sf{{\tilde{h}}}}}}\leq{\tilde{c}}n^{2{c_{\sf{\gamma}}}-{c_{\sf{{\tilde{h}}}}}}divide start_ARG over~ start_ARG italic_c end_ARG end_ARG start_ARG italic_Ξ² end_ARG italic_n start_POSTSUPERSCRIPT - italic_c start_POSTSUBSCRIPT over~ start_ARG sansserif_h end_ARG end_POSTSUBSCRIPT end_POSTSUPERSCRIPT ≀ over~ start_ARG italic_c end_ARG italic_n start_POSTSUPERSCRIPT 2 italic_c start_POSTSUBSCRIPT italic_Ξ³ end_POSTSUBSCRIPT - italic_c start_POSTSUBSCRIPT over~ start_ARG sansserif_h end_ARG end_POSTSUBSCRIPT end_POSTSUPERSCRIPT. Let ΞΎ1,…,ΞΎmsubscriptπœ‰1…subscriptπœ‰π‘š\xi_{1},\ldots,\xi_{m}italic_ΞΎ start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_ΞΎ start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT be mπ‘šmitalic_m random variables chosen independently according to QΞ²subscript𝑄𝛽Q_{\beta}italic_Q start_POSTSUBSCRIPT italic_Ξ² end_POSTSUBSCRIPT. Notice that the distribution of the random variable ΞΎiβˆ’hβ‹…zisubscriptπœ‰π‘–β‹…β„Žsubscript𝑧𝑖\xi_{i}-h\cdot z_{i}italic_ΞΎ start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT - italic_h β‹… italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT is exactly Sh,Ξ²,ziβ€²subscriptsuperscriptπ‘†β€²β„Žπ›½subscript𝑧𝑖S^{\prime}_{h,\beta,z_{i}}italic_S start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_h , italic_Ξ² , italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT end_POSTSUBSCRIPT. Hence, according to ClaimΒ A.6 the statistical distance between the joint distributions (h~β‹…y1,…,h~β‹…ym)β‹…~β„Žsubscript𝑦1…⋅~β„Žsubscriptπ‘¦π‘š({\tilde{h}}\cdot y_{1},\ldots,{\tilde{h}}\cdot y_{m})( over~ start_ARG italic_h end_ARG β‹… italic_y start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , over~ start_ARG italic_h end_ARG β‹… italic_y start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT ) and (ΞΎ1βˆ’hβ‹…z1,…,ΞΎmβˆ’hβ‹…zm)subscriptπœ‰1β‹…β„Žsubscript𝑧1…subscriptπœ‰π‘šβ‹…β„Žsubscriptπ‘§π‘š(\xi_{1}-h\cdot z_{1},\ldots,\xi_{m}-h\cdot z_{m})( italic_ΞΎ start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT - italic_h β‹… italic_z start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_ΞΎ start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT - italic_h β‹… italic_z start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT ) is at most c~⁒mβ‹…n2⁒cΞ³βˆ’c𝗁~β‹…~π‘π‘šsuperscript𝑛2subscript𝑐𝛾subscript𝑐~𝗁{\tilde{c}}m\cdot n^{2{c_{\sf{\gamma}}}-{c_{\sf{{\tilde{h}}}}}}over~ start_ARG italic_c end_ARG italic_m β‹… italic_n start_POSTSUPERSCRIPT 2 italic_c start_POSTSUBSCRIPT italic_Ξ³ end_POSTSUBSCRIPT - italic_c start_POSTSUBSCRIPT over~ start_ARG sansserif_h end_ARG end_POSTSUBSCRIPT end_POSTSUPERSCRIPT. Now,

    βˆ‘i=1mbi⁒(ΞΎiβˆ’hβ‹…zi)⁒mod⁒1=βˆ‘i=1mbi⁒ξiβˆ’βˆ‘i=1mbiβ‹…hβ‹…zi⁒mod⁒1superscriptsubscript𝑖1π‘šsubscript𝑏𝑖subscriptπœ‰π‘–β‹…β„Žsubscript𝑧𝑖mod1superscriptsubscript𝑖1π‘šsubscript𝑏𝑖subscriptπœ‰π‘–superscriptsubscript𝑖1π‘šβ‹…subscriptπ‘π‘–β„Žsubscript𝑧𝑖mod1\sum_{i=1}^{m}b_{i}(\xi_{i}-h\cdot z_{i})~{}\mathrm{mod}~{}1=\sum_{i=1}^{m}b_{i}\xi_{i}-\sum_{i=1}^{m}b_{i}\cdot h\cdot z_{i}~{}\mathrm{mod}~{}1βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_m end_POSTSUPERSCRIPT italic_b start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ( italic_ΞΎ start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT - italic_h β‹… italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ) roman_mod 1 = βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_m end_POSTSUPERSCRIPT italic_b start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT italic_ΞΎ start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT - βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_m end_POSTSUPERSCRIPT italic_b start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT β‹… italic_h β‹… italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT roman_mod 1

    According to ClaimΒ 6.1, βˆ‘i=1mbi⁒ξisuperscriptsubscript𝑖1π‘šsubscript𝑏𝑖subscriptπœ‰π‘–\sum_{i=1}^{m}b_{i}\xi_{i}βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_m end_POSTSUPERSCRIPT italic_b start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT italic_ΞΎ start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT has a normal distribution with mean 0 and standard deviation β€–bβ€–β‹…Ξ²2⁒π≀m⁒β2⁒π≀2⁒mπ⁒(γ⁒(n))2=o⁒(1log⁑n).β‹…norm𝑏𝛽2πœ‹π‘šπ›½2πœ‹2π‘šπœ‹superscript𝛾𝑛2π‘œ1𝑛\|b\|\cdot\sqrt{\frac{\beta}{2\pi}}\leq\sqrt{\frac{m\beta}{2\pi}}\leq\sqrt{\frac{2m}{\pi(\gamma(n))^{2}}}=o(\frac{1}{\sqrt{\log n}}).βˆ₯ italic_b βˆ₯ β‹… square-root start_ARG divide start_ARG italic_Ξ² end_ARG start_ARG 2 italic_Ο€ end_ARG end_ARG ≀ square-root start_ARG divide start_ARG italic_m italic_Ξ² end_ARG start_ARG 2 italic_Ο€ end_ARG end_ARG ≀ square-root start_ARG divide start_ARG 2 italic_m end_ARG start_ARG italic_Ο€ ( italic_Ξ³ ( italic_n ) ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG end_ARG = italic_o ( divide start_ARG 1 end_ARG start_ARG square-root start_ARG roman_log italic_n end_ARG end_ARG ) . Therefore, according to ClaimΒ A.1, the probability that frc⁒(βˆ‘i=1mbi⁒ξi)>18frcsuperscriptsubscript𝑖1π‘šsubscript𝑏𝑖subscriptπœ‰π‘–18\mathrm{frc}(\sum_{i=1}^{m}b_{i}\xi_{i})>\frac{1}{8}roman_frc ( βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_m end_POSTSUPERSCRIPT italic_b start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT italic_ΞΎ start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ) > divide start_ARG 1 end_ARG start_ARG 8 end_ARG is negligible. Now,

    frc⁒(βˆ‘i=1mbiβ‹…hβ‹…zi)=frc⁒(βˆ‘i=1mhN⁒bi⁒Nβ‹…zi)≀frc⁒(βˆ‘i=1mhN⁒bi⁒ai)+βˆ‘i=1mhNβ‹…bi=βˆ‘i=1mhNβ‹…bi≀mβ‹…hNβ‹…m.frcsuperscriptsubscript𝑖1π‘šβ‹…subscriptπ‘π‘–β„Žsubscript𝑧𝑖frcsuperscriptsubscript𝑖1π‘šβ‹…β„Žπ‘subscript𝑏𝑖𝑁subscript𝑧𝑖frcsuperscriptsubscript𝑖1π‘šβ„Žπ‘subscript𝑏𝑖subscriptπ‘Žπ‘–superscriptsubscript𝑖1π‘šβ‹…β„Žπ‘subscript𝑏𝑖superscriptsubscript𝑖1π‘šβ‹…β„Žπ‘subscriptπ‘π‘–β‹…π‘šβ„Žπ‘π‘š\mathrm{frc}(\sum_{i=1}^{m}b_{i}\cdot h\cdot z_{i})=\mathrm{frc}(\sum_{i=1}^{m}\frac{h}{N}b_{i}N\cdot z_{i})\leq\mathrm{frc}(\sum_{i=1}^{m}\frac{h}{N}b_{i}a_{i})+\sum_{i=1}^{m}\frac{h}{N}\cdot b_{i}=\sum_{i=1}^{m}\frac{h}{N}\cdot b_{i}\leq m\cdot\frac{h}{N}\cdot\sqrt{m}.roman_frc ( βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_m end_POSTSUPERSCRIPT italic_b start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT β‹… italic_h β‹… italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ) = roman_frc ( βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_m end_POSTSUPERSCRIPT divide start_ARG italic_h end_ARG start_ARG italic_N end_ARG italic_b start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT italic_N β‹… italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ) ≀ roman_frc ( βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_m end_POSTSUPERSCRIPT divide start_ARG italic_h end_ARG start_ARG italic_N end_ARG italic_b start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ) + βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_m end_POSTSUPERSCRIPT divide start_ARG italic_h end_ARG start_ARG italic_N end_ARG β‹… italic_b start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT = βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_m end_POSTSUPERSCRIPT divide start_ARG italic_h end_ARG start_ARG italic_N end_ARG β‹… italic_b start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ≀ italic_m β‹… divide start_ARG italic_h end_ARG start_ARG italic_N end_ARG β‹… square-root start_ARG italic_m end_ARG .

    Therefore, except with negligible probability,

    frc⁒(βˆ‘i=1mbi⁒(ΞΎiβˆ’hβ‹…zi))≀18+mβ‹…hN⁒m<14frcsuperscriptsubscript𝑖1π‘šsubscript𝑏𝑖subscriptπœ‰π‘–β‹…β„Žsubscript𝑧𝑖18β‹…π‘šβ„Žπ‘π‘š14\mathrm{frc}(\sum_{i=1}^{m}b_{i}(\xi_{i}-h\cdot z_{i}))\leq\frac{1}{8}+m\cdot\frac{h}{N}\sqrt{m}<\frac{1}{4}roman_frc ( βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_m end_POSTSUPERSCRIPT italic_b start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ( italic_ΞΎ start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT - italic_h β‹… italic_z start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ) ) ≀ divide start_ARG 1 end_ARG start_ARG 8 end_ARG + italic_m β‹… divide start_ARG italic_h end_ARG start_ARG italic_N end_ARG square-root start_ARG italic_m end_ARG < divide start_ARG 1 end_ARG start_ARG 4 end_ARG

    where we used the fact that h≀2c𝗁⁒n2≀Nβ„Žsuperscript2subscript𝑐𝗁superscript𝑛2𝑁h\leq 2^{{c_{\sf{h}}}n^{2}}\leq\sqrt{N}italic_h ≀ 2 start_POSTSUPERSCRIPT italic_c start_POSTSUBSCRIPT sansserif_h end_POSTSUBSCRIPT italic_n start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT ≀ square-root start_ARG italic_N end_ARG. This implies that the probability that frc⁒(βˆ‘i=1mbi⁒h~⁒yi)<14frcsuperscriptsubscript𝑖1π‘šsubscript𝑏𝑖~β„Žsubscript𝑦𝑖14\mathrm{frc}(\sum_{i=1}^{m}b_{i}{\tilde{h}}y_{i})<\frac{1}{4}roman_frc ( βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_m end_POSTSUPERSCRIPT italic_b start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT over~ start_ARG italic_h end_ARG italic_y start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ) < divide start_ARG 1 end_ARG start_ARG 4 end_ARG is at most c~⁒mβ‹…n2⁒cΞ³βˆ’c𝗁~β‹…~π‘π‘šsuperscript𝑛2subscript𝑐𝛾subscript𝑐~𝗁{\tilde{c}}m\cdot n^{2{c_{\sf{\gamma}}}-{c_{\sf{{\tilde{h}}}}}}over~ start_ARG italic_c end_ARG italic_m β‹… italic_n start_POSTSUPERSCRIPT 2 italic_c start_POSTSUBSCRIPT italic_Ξ³ end_POSTSUBSCRIPT - italic_c start_POSTSUBSCRIPT over~ start_ARG sansserif_h end_ARG end_POSTSUBSCRIPT end_POSTSUPERSCRIPT plus some negligible amount. Β 

7 Quantum Computation

In this section we show a result related to a problem in quantum computation known as the dihedral hidden subgroup problem. One reason this problem is interesting is because, under certain conditions, solving it implies a quantum solution to uSVPΒ [17]. InΒ [6], Ettinger and HΓΈyer reduced the problem to the problem of finding an integer kπ‘˜kitalic_k given access to the distribution Zksubscriptπ‘π‘˜Z_{k}italic_Z start_POSTSUBSCRIPT italic_k end_POSTSUBSCRIPT where Pr⁑(Zk=z)=2/Nβ‹…cos2⁑(π⁒k⁒z/N)Prsubscriptπ‘π‘˜π‘§β‹…2𝑁superscript2πœ‹π‘˜π‘§π‘\Pr(Z_{k}=z)=2/N\cdot\cos^{2}(\pi kz/N)roman_Pr ( italic_Z start_POSTSUBSCRIPT italic_k end_POSTSUBSCRIPT = italic_z ) = 2 / italic_N β‹… roman_cos start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT ( italic_Ο€ italic_k italic_z / italic_N ) for z=0,1,…,Nβˆ’1𝑧01…𝑁1z=0,1,\ldots,N-1italic_z = 0 , 1 , … , italic_N - 1. They presented an exponential time classical algorithm that uses only a polynomial number of samples of Zksubscriptπ‘π‘˜Z_{k}italic_Z start_POSTSUBSCRIPT italic_k end_POSTSUBSCRIPT. Hence, a polynomial number of samples contains enough information to find kπ‘˜kitalic_k. The question of whether there exists an efficient algorithm remained open. In this section we will show that a solution to their problem implies a solution to ncsuperscript𝑛𝑐n^{c}italic_n start_POSTSUPERSCRIPT italic_c end_POSTSUPERSCRIPT-uSVP for some c𝑐citalic_c.

We start by extending Theorem 4.1 to more general periodic distributions. Let D𝐷Ditalic_D be a distribution on [0,1)01[0,1)[ 0 , 1 ) such that its density function satisfies D⁒(r)≀cπ–£π·π‘Ÿsubscript𝑐𝖣D(r)\leq{c_{\sf{D}}}italic_D ( italic_r ) ≀ italic_c start_POSTSUBSCRIPT sansserif_D end_POSTSUBSCRIPT and |D⁒(r)βˆ’D⁒(r+ϡ⁒mod⁒1)|≀cπ–£β’Ο΅π·π‘Ÿπ·π‘Ÿitalic-Ο΅mod1subscript𝑐𝖣italic-Ο΅|D(r)-D(r+\epsilon~{}\mathrm{mod}~{}1)|\leq{c_{\sf{D}}}\epsilon| italic_D ( italic_r ) - italic_D ( italic_r + italic_Ο΅ roman_mod 1 ) | ≀ italic_c start_POSTSUBSCRIPT sansserif_D end_POSTSUBSCRIPT italic_Ο΅ for all r,ϡ∈[0,1)π‘Ÿitalic-Ο΅01r,\epsilon\in[0,1)italic_r , italic_Ο΅ ∈ [ 0 , 1 ) for some constant c𝖣subscript𝑐𝖣{c_{\sf{D}}}italic_c start_POSTSUBSCRIPT sansserif_D end_POSTSUBSCRIPT. For hβˆˆβ„•β„Žβ„•h\in\mathbb{N}italic_h ∈ blackboard_N, define

ThD⁒(r)=D⁒(r⁒h⁒mod⁒1)subscriptsuperscriptπ‘‡π·β„Žπ‘Ÿπ·π‘Ÿβ„Žmod1T^{D}_{h}(r)=D(rh~{}\mathrm{mod}~{}1)italic_T start_POSTSUPERSCRIPT italic_D end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_h end_POSTSUBSCRIPT ( italic_r ) = italic_D ( italic_r italic_h roman_mod 1 )

to be the distribution on [0,1)01[0,1)[ 0 , 1 ) given by hβ„Žhitalic_h periods of D𝐷Ditalic_D. Moreover, define

𝒯nD={ThD|hβˆˆβ„•,h≀2c𝗁⁒n2}.subscriptsuperscript𝒯𝐷𝑛conditional-setsubscriptsuperscriptπ‘‡π·β„Žformulae-sequenceβ„Žβ„•β„Žsuperscript2subscript𝑐𝗁superscript𝑛2{\cal T}^{D}_{n}=\left\{T^{D}_{h}~{}|~{}h\in\mathbb{N},~{}h\leq 2^{{c_{\sf{h}}}n^{2}}\right\}.caligraphic_T start_POSTSUPERSCRIPT italic_D end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT = { italic_T start_POSTSUPERSCRIPT italic_D end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_h end_POSTSUBSCRIPT | italic_h ∈ blackboard_N , italic_h ≀ 2 start_POSTSUPERSCRIPT italic_c start_POSTSUBSCRIPT sansserif_h end_POSTSUBSCRIPT italic_n start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT } .

where c𝗁subscript𝑐𝗁{c_{\sf{h}}}italic_c start_POSTSUBSCRIPT sansserif_h end_POSTSUBSCRIPT is the constant from LemmaΒ 4.9 and n𝑛nitalic_n is the size parameter of the problem.

Lemma 7.1

If there exists a distinguisher between Uπ‘ˆUitalic_U and 𝒯nDsubscriptsuperscript𝒯𝐷𝑛{\cal T}^{D}_{n}caligraphic_T start_POSTSUPERSCRIPT italic_D end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT then there exists a solution to ncsuperscript𝑛𝑐n^{c}italic_n start_POSTSUPERSCRIPT italic_c end_POSTSUPERSCRIPT-uSVP for some c>0𝑐0c>0italic_c > 0.

  • Proof:

    Assume π’œπ’œ{\cal A}caligraphic_A is a distinguisher between Uπ‘ˆUitalic_U and 𝒯nDsubscriptsuperscript𝒯𝐷𝑛{\cal T}^{D}_{n}caligraphic_T start_POSTSUPERSCRIPT italic_D end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT and assume that it uses nc𝖠superscript𝑛subscript𝑐𝖠n^{{c_{\sf{A}}}}italic_n start_POSTSUPERSCRIPT italic_c start_POSTSUBSCRIPT sansserif_A end_POSTSUBSCRIPT end_POSTSUPERSCRIPT samples of the given distribution for some c𝖠>0subscript𝑐𝖠0{c_{\sf{A}}}>0italic_c start_POSTSUBSCRIPT sansserif_A end_POSTSUBSCRIPT > 0. Let pusubscript𝑝𝑒p_{u}italic_p start_POSTSUBSCRIPT italic_u end_POSTSUBSCRIPT denote the acceptance probability of π’œπ’œ{\cal A}caligraphic_A on inputs from distribution Uπ‘ˆUitalic_U and for hβˆˆβ„•β„Žβ„•h\in\mathbb{N}italic_h ∈ blackboard_N let phsubscriptπ‘β„Žp_{h}italic_p start_POSTSUBSCRIPT italic_h end_POSTSUBSCRIPT denote its acceptance probability on inputs from ThDsubscriptsuperscriptπ‘‡π·β„ŽT^{D}_{h}italic_T start_POSTSUPERSCRIPT italic_D end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_h end_POSTSUBSCRIPT. According to our hypothesis |puβˆ’ph|β‰₯nβˆ’c𝖽subscript𝑝𝑒subscriptπ‘β„Žsuperscript𝑛subscript𝑐𝖽|p_{u}-p_{h}|\geq n^{-{c_{\sf{d}}}}| italic_p start_POSTSUBSCRIPT italic_u end_POSTSUBSCRIPT - italic_p start_POSTSUBSCRIPT italic_h end_POSTSUBSCRIPT | β‰₯ italic_n start_POSTSUPERSCRIPT - italic_c start_POSTSUBSCRIPT sansserif_d end_POSTSUBSCRIPT end_POSTSUPERSCRIPT for all h∈[2c𝗁⁒n2]β„Ždelimited-[]superscript2subscript𝑐𝗁superscript𝑛2h\in[2^{{c_{\sf{h}}}n^{2}}]italic_h ∈ [ 2 start_POSTSUPERSCRIPT italic_c start_POSTSUBSCRIPT sansserif_h end_POSTSUBSCRIPT italic_n start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT ] for some constant c𝖽>0subscript𝑐𝖽0{c_{\sf{d}}}>0italic_c start_POSTSUBSCRIPT sansserif_d end_POSTSUBSCRIPT > 0.

    We construct a distinguisher ℬℬ{\cal B}caligraphic_B between Uπ‘ˆUitalic_U and 𝒯n,ncsubscript𝒯𝑛superscript𝑛𝑐{\cal T}_{n,n^{c}}caligraphic_T start_POSTSUBSCRIPT italic_n , italic_n start_POSTSUPERSCRIPT italic_c end_POSTSUPERSCRIPT end_POSTSUBSCRIPT for some large enough c>0𝑐0c>0italic_c > 0. The lemma then follows from Theorem 4.1. Let R𝑅Ritalic_R denote the given distribution. First, ℬℬ{\cal B}caligraphic_B chooses a value h~~β„Ž{\tilde{h}}over~ start_ARG italic_h end_ARG uniformly from the set {1,1+ΞΌ,(1+ΞΌ)2,…,2c𝗁⁒n2}11πœ‡superscript1πœ‡2…superscript2subscript𝑐𝗁superscript𝑛2\{1,1+\mu,(1+\mu)^{2},\ldots,2^{{c_{\sf{h}}}n^{2}}\}{ 1 , 1 + italic_ΞΌ , ( 1 + italic_ΞΌ ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT , … , 2 start_POSTSUPERSCRIPT italic_c start_POSTSUBSCRIPT sansserif_h end_POSTSUBSCRIPT italic_n start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT } where ΞΌ=nβˆ’cΞΌπœ‡superscript𝑛subscriptπ‘πœ‡\mu=n^{-{c_{\sf{\mu}}}}italic_ΞΌ = italic_n start_POSTSUPERSCRIPT - italic_c start_POSTSUBSCRIPT italic_ΞΌ end_POSTSUBSCRIPT end_POSTSUPERSCRIPT for some constant cΞΌ>0subscriptπ‘πœ‡0{c_{\sf{\mu}}}>0italic_c start_POSTSUBSCRIPT italic_ΞΌ end_POSTSUBSCRIPT > 0 to be chosen later. Then, define the distribution Rβ€²superscript𝑅′R^{\prime}italic_R start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT as

    Rβ€²=R+Dh~⁒mod⁒1,superscript𝑅′𝑅𝐷~β„Žmod1R^{\prime}=R+\frac{D}{{\tilde{h}}}~{}\mathrm{mod}~{}1,italic_R start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT = italic_R + divide start_ARG italic_D end_ARG start_ARG over~ start_ARG italic_h end_ARG end_ARG roman_mod 1 ,

    i.e., a sample from Rβ€²superscript𝑅′R^{\prime}italic_R start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT is given by x+r/h~⁒mod⁒1π‘₯π‘Ÿ~β„Žmod1x+r/{\tilde{h}}~{}\mathrm{mod}~{}1italic_x + italic_r / over~ start_ARG italic_h end_ARG roman_mod 1 where xπ‘₯xitalic_x is chosen from R𝑅Ritalic_R and rπ‘Ÿritalic_r is chosen from D𝐷Ditalic_D. It then estimates the acceptance probability of π’œπ’œ{\cal A}caligraphic_A using sequences of samples from Rβ€²superscript𝑅′R^{\prime}italic_R start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT each of length nc𝖠superscript𝑛subscript𝑐𝖠n^{{c_{\sf{A}}}}italic_n start_POSTSUPERSCRIPT italic_c start_POSTSUBSCRIPT sansserif_A end_POSTSUBSCRIPT end_POSTSUPERSCRIPT. According to the Chernoff bound, using a polynomial number of sequences, we can obtain an estimate that with probability exponentially close to 1 is within 14⁒nc𝖽14superscript𝑛subscript𝑐𝖽\frac{1}{4n^{{c_{\sf{d}}}}}divide start_ARG 1 end_ARG start_ARG 4 italic_n start_POSTSUPERSCRIPT italic_c start_POSTSUBSCRIPT sansserif_d end_POSTSUBSCRIPT end_POSTSUPERSCRIPT end_ARG of the actual acceptance probability. If the estimate differs from pusubscript𝑝𝑒p_{u}italic_p start_POSTSUBSCRIPT italic_u end_POSTSUBSCRIPT by more than 12⁒nc𝖽12superscript𝑛subscript𝑐𝖽\frac{1}{2n^{{c_{\sf{d}}}}}divide start_ARG 1 end_ARG start_ARG 2 italic_n start_POSTSUPERSCRIPT italic_c start_POSTSUBSCRIPT sansserif_d end_POSTSUBSCRIPT end_POSTSUPERSCRIPT end_ARG, ℬℬ{\cal B}caligraphic_B accepts; otherwise, it rejects. This completes the description of ℬℬ{\cal B}caligraphic_B.

    When R𝑅Ritalic_R is the uniform distribution then Rβ€²superscript𝑅′R^{\prime}italic_R start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT is also the uniform distribution. Therefore, with probability exponentially close to 1111, ℬℬ{\cal B}caligraphic_B’s estimate is within 14⁒nc𝖽14superscript𝑛subscript𝑐𝖽\frac{1}{4n^{{c_{\sf{d}}}}}divide start_ARG 1 end_ARG start_ARG 4 italic_n start_POSTSUPERSCRIPT italic_c start_POSTSUBSCRIPT sansserif_d end_POSTSUBSCRIPT end_POSTSUPERSCRIPT end_ARG of pusubscript𝑝𝑒p_{u}italic_p start_POSTSUBSCRIPT italic_u end_POSTSUBSCRIPT and ℬℬ{\cal B}caligraphic_B rejects. Hence, it is remains to show that ℬℬ{\cal B}caligraphic_B accepts with some non-negligible probability when R𝑅Ritalic_R is Th,Ξ²subscriptπ‘‡β„Žπ›½T_{h,\beta}italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT where h≀2c𝗁⁒n2β„Žsuperscript2subscript𝑐𝗁superscript𝑛2h\leq 2^{{c_{\sf{h}}}n^{2}}italic_h ≀ 2 start_POSTSUPERSCRIPT italic_c start_POSTSUBSCRIPT sansserif_h end_POSTSUBSCRIPT italic_n start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT and β≀nβˆ’cβ𝛽superscript𝑛subscript𝑐𝛽\beta\leq n^{-{c_{\sf{\beta}}}}italic_Ξ² ≀ italic_n start_POSTSUPERSCRIPT - italic_c start_POSTSUBSCRIPT italic_Ξ² end_POSTSUBSCRIPT end_POSTSUPERSCRIPT for some large enough cΞ²subscript𝑐𝛽{c_{\sf{\beta}}}italic_c start_POSTSUBSCRIPT italic_Ξ² end_POSTSUBSCRIPT.

    Consider the event in which h≀h~<(1+ΞΌ)⁒hβ„Ž~β„Ž1πœ‡β„Žh\leq{\tilde{h}}<(1+\mu)hitalic_h ≀ over~ start_ARG italic_h end_ARG < ( 1 + italic_ΞΌ ) italic_h. Notice that it happens with non-negligible probability since h~~β„Ž{\tilde{h}}over~ start_ARG italic_h end_ARG is chosen from a set of size polynomial in n𝑛nitalic_n. The following claim will complete the proof by showing that the statistical distance between Rβ€²superscript𝑅′R^{\prime}italic_R start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT and ThDsubscriptsuperscriptπ‘‡π·β„ŽT^{D}_{h}italic_T start_POSTSUPERSCRIPT italic_D end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_h end_POSTSUBSCRIPT is smaller than nβˆ’cπ– βˆ’c𝖽/4superscript𝑛subscript𝑐𝖠subscript𝑐𝖽4n^{-{c_{\sf{A}}}-{c_{\sf{d}}}}/4italic_n start_POSTSUPERSCRIPT - italic_c start_POSTSUBSCRIPT sansserif_A end_POSTSUBSCRIPT - italic_c start_POSTSUBSCRIPT sansserif_d end_POSTSUBSCRIPT end_POSTSUPERSCRIPT / 4. Using Claim A.6, it follows that the statistical distance between a sequence of nc𝖠superscript𝑛subscript𝑐𝖠n^{{c_{\sf{A}}}}italic_n start_POSTSUPERSCRIPT italic_c start_POSTSUBSCRIPT sansserif_A end_POSTSUBSCRIPT end_POSTSUPERSCRIPT elements of Rβ€²superscript𝑅′R^{\prime}italic_R start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT and a sequence of nc𝖠superscript𝑛subscript𝑐𝖠n^{{c_{\sf{A}}}}italic_n start_POSTSUPERSCRIPT italic_c start_POSTSUBSCRIPT sansserif_A end_POSTSUBSCRIPT end_POSTSUPERSCRIPT elements of ThDsubscriptsuperscriptπ‘‡π·β„ŽT^{D}_{h}italic_T start_POSTSUPERSCRIPT italic_D end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_h end_POSTSUBSCRIPT is at most nβˆ’c𝖽/4superscript𝑛subscript𝑐𝖽4n^{-{c_{\sf{d}}}}/4italic_n start_POSTSUPERSCRIPT - italic_c start_POSTSUBSCRIPT sansserif_d end_POSTSUBSCRIPT end_POSTSUPERSCRIPT / 4. Finally, using Equation 1, this implies that π’œπ’œ{\cal A}caligraphic_A’s success probability on sequences from Rβ€²superscript𝑅′R^{\prime}italic_R start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT is within nβˆ’c𝖽/4superscript𝑛subscript𝑐𝖽4n^{-{c_{\sf{d}}}}/4italic_n start_POSTSUPERSCRIPT - italic_c start_POSTSUBSCRIPT sansserif_d end_POSTSUBSCRIPT end_POSTSUPERSCRIPT / 4 from phsubscriptπ‘β„Žp_{h}italic_p start_POSTSUBSCRIPT italic_h end_POSTSUBSCRIPT and since |puβˆ’ph|β‰₯nβˆ’c𝖽subscript𝑝𝑒subscriptπ‘β„Žsuperscript𝑛subscript𝑐𝖽|p_{u}-p_{h}|\geq n^{-{c_{\sf{d}}}}| italic_p start_POSTSUBSCRIPT italic_u end_POSTSUBSCRIPT - italic_p start_POSTSUBSCRIPT italic_h end_POSTSUBSCRIPT | β‰₯ italic_n start_POSTSUPERSCRIPT - italic_c start_POSTSUBSCRIPT sansserif_d end_POSTSUBSCRIPT end_POSTSUPERSCRIPT, ℬℬ{\cal B}caligraphic_B accepts.

    Claim 7.2

    For h~normal-~β„Ž{\tilde{h}}over~ start_ARG italic_h end_ARG as above and for large enough cΞ²subscript𝑐𝛽{c_{\sf{\beta}}}italic_c start_POSTSUBSCRIPT italic_Ξ² end_POSTSUBSCRIPT and cΞΌsubscriptπ‘πœ‡{c_{\sf{\mu}}}italic_c start_POSTSUBSCRIPT italic_ΞΌ end_POSTSUBSCRIPT, the statistical distance Δ⁒(Rβ€²,ThD)≀nβˆ’cπ– βˆ’c𝖽/4normal-Ξ”superscript𝑅normal-β€²subscriptsuperscriptπ‘‡π·β„Žsuperscript𝑛subscript𝑐𝖠subscript𝑐𝖽4\Delta(R^{\prime},T^{D}_{h})\leq n^{-{c_{\sf{A}}}-{c_{\sf{d}}}}/4roman_Ξ” ( italic_R start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT , italic_T start_POSTSUPERSCRIPT italic_D end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_h end_POSTSUBSCRIPT ) ≀ italic_n start_POSTSUPERSCRIPT - italic_c start_POSTSUBSCRIPT sansserif_A end_POSTSUBSCRIPT - italic_c start_POSTSUBSCRIPT sansserif_d end_POSTSUBSCRIPT end_POSTSUPERSCRIPT / 4.

    • Proof:

      Consider the distribution Rβ€²β€²superscript𝑅′′R^{\prime\prime}italic_R start_POSTSUPERSCRIPT β€² β€² end_POSTSUPERSCRIPT given by

      Rβ€²β€²=Th,Ξ²+Dh.superscript𝑅′′subscriptπ‘‡β„Žπ›½π·β„ŽR^{\prime\prime}=T_{h,\beta}+\frac{D}{h}.italic_R start_POSTSUPERSCRIPT β€² β€² end_POSTSUPERSCRIPT = italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT + divide start_ARG italic_D end_ARG start_ARG italic_h end_ARG .

      The distribution Rβ€²β€²superscript𝑅′′R^{\prime\prime}italic_R start_POSTSUPERSCRIPT β€² β€² end_POSTSUPERSCRIPT can be seen as a random function of the distribution D𝐷Ditalic_D: given a value r∈Dπ‘Ÿπ·r\in Ditalic_r ∈ italic_D sample a value xπ‘₯xitalic_x from Th,Ξ²subscriptπ‘‡β„Žπ›½T_{h,\beta}italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT and output x+r/hπ‘₯π‘Ÿβ„Žx+r/hitalic_x + italic_r / italic_h. Notice that Rβ€²superscript𝑅′R^{\prime}italic_R start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT is given by applying the same function to the distribution (h/h~)⁒Dβ„Ž~β„Žπ·(h/{\tilde{h}})D( italic_h / over~ start_ARG italic_h end_ARG ) italic_D. Hence, using Equation 1,

      Δ⁒(Rβ€²,Rβ€²β€²)≀Δ⁒(D,hh~⁒D)Ξ”superscript𝑅′superscriptπ‘…β€²β€²Ξ”π·β„Ž~β„Žπ·\displaystyle\Delta(R^{\prime},R^{\prime\prime})\leq\Delta(D,\frac{h}{{\tilde{h}}}D)roman_Ξ” ( italic_R start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT , italic_R start_POSTSUPERSCRIPT β€² β€² end_POSTSUPERSCRIPT ) ≀ roman_Ξ” ( italic_D , divide start_ARG italic_h end_ARG start_ARG over~ start_ARG italic_h end_ARG end_ARG italic_D ) =\displaystyle== ∫0h/h~|D⁒(r)βˆ’D⁒(h~h⁒r)|⁒𝑑r+∫h/h~1D⁒(r)⁒𝑑rsuperscriptsubscript0β„Ž~β„Žπ·π‘Ÿπ·~β„Žβ„Žπ‘Ÿdifferential-dπ‘Ÿsuperscriptsubscriptβ„Ž~β„Ž1π·π‘Ÿdifferential-dπ‘Ÿ\displaystyle\int_{0}^{h/{\tilde{h}}}|D(r)-D(\frac{{\tilde{h}}}{h}r)|dr+\int_{h/{\tilde{h}}}^{1}D(r)dr∫ start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_h / over~ start_ARG italic_h end_ARG end_POSTSUPERSCRIPT | italic_D ( italic_r ) - italic_D ( divide start_ARG over~ start_ARG italic_h end_ARG end_ARG start_ARG italic_h end_ARG italic_r ) | italic_d italic_r + ∫ start_POSTSUBSCRIPT italic_h / over~ start_ARG italic_h end_ARG end_POSTSUBSCRIPT start_POSTSUPERSCRIPT 1 end_POSTSUPERSCRIPT italic_D ( italic_r ) italic_d italic_r (4)
      ≀\displaystyle\leq≀ c𝖣⁒(1βˆ’hh~)+(1βˆ’hh~)⁒c𝖣subscript𝑐𝖣1β„Ž~β„Ž1β„Ž~β„Žsubscript𝑐𝖣\displaystyle{c_{\sf{D}}}(1-\frac{h}{{\tilde{h}}})+(1-\frac{h}{{\tilde{h}}}){c_{\sf{D}}}italic_c start_POSTSUBSCRIPT sansserif_D end_POSTSUBSCRIPT ( 1 - divide start_ARG italic_h end_ARG start_ARG over~ start_ARG italic_h end_ARG end_ARG ) + ( 1 - divide start_ARG italic_h end_ARG start_ARG over~ start_ARG italic_h end_ARG end_ARG ) italic_c start_POSTSUBSCRIPT sansserif_D end_POSTSUBSCRIPT
      ≀\displaystyle\leq≀ 2⁒c𝖣⁒μ=2⁒c𝖣⁒nβˆ’cΞΌ.2subscriptπ‘π–£πœ‡2subscript𝑐𝖣superscript𝑛subscriptπ‘πœ‡\displaystyle 2{c_{\sf{D}}}\mu=2{c_{\sf{D}}}n^{-{c_{\sf{\mu}}}}.2 italic_c start_POSTSUBSCRIPT sansserif_D end_POSTSUBSCRIPT italic_ΞΌ = 2 italic_c start_POSTSUBSCRIPT sansserif_D end_POSTSUBSCRIPT italic_n start_POSTSUPERSCRIPT - italic_c start_POSTSUBSCRIPT italic_ΞΌ end_POSTSUBSCRIPT end_POSTSUPERSCRIPT .

      We next bound the statistical distance between ThDsubscriptsuperscriptπ‘‡π·β„ŽT^{D}_{h}italic_T start_POSTSUPERSCRIPT italic_D end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_h end_POSTSUBSCRIPT and Rβ€²β€²superscript𝑅′′R^{\prime\prime}italic_R start_POSTSUPERSCRIPT β€² β€² end_POSTSUPERSCRIPT. Let X𝑋Xitalic_X be a random variables distributed uniformly over {0,1h,…,hβˆ’1h}01β„Žβ€¦β„Ž1β„Ž\{0,\frac{1}{h},\ldots,\frac{h-1}{h}\}{ 0 , divide start_ARG 1 end_ARG start_ARG italic_h end_ARG , … , divide start_ARG italic_h - 1 end_ARG start_ARG italic_h end_ARG }. Then, it can be seen that

      ThD=X+Dh⁒mod⁒1.subscriptsuperscriptπ‘‡π·β„Žπ‘‹π·β„Žmod1T^{D}_{h}=X+\frac{D}{h}~{}\mathrm{mod}~{}1.italic_T start_POSTSUPERSCRIPT italic_D end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_h end_POSTSUBSCRIPT = italic_X + divide start_ARG italic_D end_ARG start_ARG italic_h end_ARG roman_mod 1 .

      Now, let Yπ‘ŒYitalic_Y be another random variable distributed normally with mean 0 and variance Ξ²2⁒π𝛽2πœ‹\frac{\beta}{2\pi}divide start_ARG italic_Ξ² end_ARG start_ARG 2 italic_Ο€ end_ARG. Then, as in Claim 5.2, Th,Ξ²=X+Y/h⁒mod⁒1subscriptπ‘‡β„Žπ›½π‘‹π‘Œβ„Žmod1T_{h,\beta}=X+Y/h~{}\mathrm{mod}~{}1italic_T start_POSTSUBSCRIPT italic_h , italic_Ξ² end_POSTSUBSCRIPT = italic_X + italic_Y / italic_h roman_mod 1 and hence,

      Rβ€²β€²superscript𝑅′′\displaystyle R^{\prime\prime}italic_R start_POSTSUPERSCRIPT β€² β€² end_POSTSUPERSCRIPT =\displaystyle== X+Yh+Dh⁒mod⁒1.π‘‹π‘Œβ„Žπ·β„Žmod1\displaystyle X+\frac{Y}{h}+\frac{D}{h}~{}\mathrm{mod}~{}1.italic_X + divide start_ARG italic_Y end_ARG start_ARG italic_h end_ARG + divide start_ARG italic_D end_ARG start_ARG italic_h end_ARG roman_mod 1 .

      Therefore, ThDsubscriptsuperscriptπ‘‡π·β„ŽT^{D}_{h}italic_T start_POSTSUPERSCRIPT italic_D end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_h end_POSTSUBSCRIPT can be seen as a random function applied to a sample from Dhπ·β„Ž\frac{D}{h}divide start_ARG italic_D end_ARG start_ARG italic_h end_ARG while Rβ€²β€²superscript𝑅′′R^{\prime\prime}italic_R start_POSTSUPERSCRIPT β€² β€² end_POSTSUPERSCRIPT can be seen as the same function applied to a sample from Yh+Dhπ‘Œβ„Žπ·β„Ž\frac{Y}{h}+\frac{D}{h}divide start_ARG italic_Y end_ARG start_ARG italic_h end_ARG + divide start_ARG italic_D end_ARG start_ARG italic_h end_ARG. From Equation 1 it follows that

      Δ⁒(ThD,Rβ€²β€²)≀Δ⁒(1h⁒D,1h⁒(D+Y))=Δ⁒(D,D+Y).Ξ”subscriptsuperscriptπ‘‡π·β„Žsuperscript𝑅′′Δ1β„Žπ·1β„Žπ·π‘ŒΞ”π·π·π‘Œ\Delta(T^{D}_{h},R^{\prime\prime})\leq\Delta\left(\frac{1}{h}D,~{}\frac{1}{h}(D+Y)\right)=\Delta(D,D+Y).roman_Ξ” ( italic_T start_POSTSUPERSCRIPT italic_D end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_h end_POSTSUBSCRIPT , italic_R start_POSTSUPERSCRIPT β€² β€² end_POSTSUPERSCRIPT ) ≀ roman_Ξ” ( divide start_ARG 1 end_ARG start_ARG italic_h end_ARG italic_D , divide start_ARG 1 end_ARG start_ARG italic_h end_ARG ( italic_D + italic_Y ) ) = roman_Ξ” ( italic_D , italic_D + italic_Y ) . (5)

      Let Yβ€²superscriptπ‘Œβ€²Y^{\prime}italic_Y start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT be the restriction of a normal distribution with mean 0 and variance Ξ²2⁒π𝛽2πœ‹\frac{\beta}{2\pi}divide start_ARG italic_Ξ² end_ARG start_ARG 2 italic_Ο€ end_ARG to the range [βˆ’n⁒β,n⁒β]𝑛𝛽𝑛𝛽[-n\sqrt{\beta},n\sqrt{\beta}][ - italic_n square-root start_ARG italic_Ξ² end_ARG , italic_n square-root start_ARG italic_Ξ² end_ARG ]. More formally,

      Y′⁒(r)=Y⁒(r)/βˆ«βˆ’n⁒βn⁒βY⁒(r)⁒𝑑rsuperscriptπ‘Œβ€²π‘Ÿπ‘Œπ‘Ÿsuperscriptsubscriptπ‘›π›½π‘›π›½π‘Œπ‘Ÿdifferential-dπ‘ŸY^{\prime}(r)=Y(r)/\int_{-n\sqrt{\beta}}^{n\sqrt{\beta}}Y(r)dritalic_Y start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT ( italic_r ) = italic_Y ( italic_r ) / ∫ start_POSTSUBSCRIPT - italic_n square-root start_ARG italic_Ξ² end_ARG end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_n square-root start_ARG italic_Ξ² end_ARG end_POSTSUPERSCRIPT italic_Y ( italic_r ) italic_d italic_r

      for r∈[βˆ’n⁒β,n⁒β]π‘Ÿπ‘›π›½π‘›π›½r\in[-n\sqrt{\beta},n\sqrt{\beta}]italic_r ∈ [ - italic_n square-root start_ARG italic_Ξ² end_ARG , italic_n square-root start_ARG italic_Ξ² end_ARG ] and Y′⁒(r)=0superscriptπ‘Œβ€²π‘Ÿ0Y^{\prime}(r)=0italic_Y start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT ( italic_r ) = 0 elsewhere. From Claim A.1 it follows that the distribution of Yπ‘ŒYitalic_Y is very close to that of Yβ€²superscriptπ‘Œβ€²Y^{\prime}italic_Y start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT:

      Δ⁒(Y,Yβ€²)≀2Ο€β‹…1n⁒2⁒π⋅eβˆ’Ο€β’n2=2βˆ’Ξ©β’(n2).Ξ”π‘Œsuperscriptπ‘Œβ€²β‹…2πœ‹1𝑛2πœ‹superscriptπ‘’πœ‹superscript𝑛2superscript2Ξ©superscript𝑛2\Delta(Y,Y^{\prime})\leq\sqrt{\frac{2}{\pi}}\cdot\frac{1}{n\sqrt{2\pi}}\cdot e^{-\pi n^{2}}=2^{-\Omega(n^{2})}.roman_Ξ” ( italic_Y , italic_Y start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT ) ≀ square-root start_ARG divide start_ARG 2 end_ARG start_ARG italic_Ο€ end_ARG end_ARG β‹… divide start_ARG 1 end_ARG start_ARG italic_n square-root start_ARG 2 italic_Ο€ end_ARG end_ARG β‹… italic_e start_POSTSUPERSCRIPT - italic_Ο€ italic_n start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT = 2 start_POSTSUPERSCRIPT - roman_Ξ© ( italic_n start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT ) end_POSTSUPERSCRIPT . (6)

      Now, using the fact that Yβ€²superscriptπ‘Œβ€²Y^{\prime}italic_Y start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT always gets values of small absolute value,

      |D⁒(r)βˆ’(D+Yβ€²)⁒(r)|π·π‘Ÿπ·superscriptπ‘Œβ€²π‘Ÿ\displaystyle\left|D(r)-(D+Y^{\prime})(r)\right|| italic_D ( italic_r ) - ( italic_D + italic_Y start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT ) ( italic_r ) | =\displaystyle== |D⁒(r)βˆ’βˆ«βˆ’n⁒βn⁒βD⁒(rβˆ’x)⁒Y′⁒(x)⁒𝑑x|π·π‘Ÿsuperscriptsubscriptπ‘›π›½π‘›π›½π·π‘Ÿπ‘₯superscriptπ‘Œβ€²π‘₯differential-dπ‘₯\displaystyle\left|D(r)-\int_{-n\sqrt{\beta}}^{n\sqrt{\beta}}D(r-x)Y^{\prime}(x)dx\right|| italic_D ( italic_r ) - ∫ start_POSTSUBSCRIPT - italic_n square-root start_ARG italic_Ξ² end_ARG end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_n square-root start_ARG italic_Ξ² end_ARG end_POSTSUPERSCRIPT italic_D ( italic_r - italic_x ) italic_Y start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT ( italic_x ) italic_d italic_x |
      ≀\displaystyle\leq≀ βˆ«βˆ’n⁒βn⁒β|D⁒(r)βˆ’D⁒(rβˆ’x)|⁒Y′⁒(x)⁒𝑑xsuperscriptsubscriptπ‘›π›½π‘›π›½π·π‘Ÿπ·π‘Ÿπ‘₯superscriptπ‘Œβ€²π‘₯differential-dπ‘₯\displaystyle\int_{-n\sqrt{\beta}}^{n\sqrt{\beta}}\left|D(r)-D(r-x)\right|Y^{\prime}(x)dx∫ start_POSTSUBSCRIPT - italic_n square-root start_ARG italic_Ξ² end_ARG end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_n square-root start_ARG italic_Ξ² end_ARG end_POSTSUPERSCRIPT | italic_D ( italic_r ) - italic_D ( italic_r - italic_x ) | italic_Y start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT ( italic_x ) italic_d italic_x
      ≀\displaystyle\leq≀ c𝖣⁒nβ’Ξ²β’βˆ«βˆ’n⁒βn⁒βY′⁒(x)⁒𝑑xsubscript𝑐𝖣𝑛𝛽superscriptsubscript𝑛𝛽𝑛𝛽superscriptπ‘Œβ€²π‘₯differential-dπ‘₯\displaystyle{c_{\sf{D}}}n\sqrt{\beta}\int_{-n\sqrt{\beta}}^{n\sqrt{\beta}}Y^{\prime}(x)dxitalic_c start_POSTSUBSCRIPT sansserif_D end_POSTSUBSCRIPT italic_n square-root start_ARG italic_Ξ² end_ARG ∫ start_POSTSUBSCRIPT - italic_n square-root start_ARG italic_Ξ² end_ARG end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_n square-root start_ARG italic_Ξ² end_ARG end_POSTSUPERSCRIPT italic_Y start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT ( italic_x ) italic_d italic_x
      =\displaystyle== c𝖣⁒n⁒β.subscript𝑐𝖣𝑛𝛽\displaystyle{c_{\sf{D}}}n\sqrt{\beta}.italic_c start_POSTSUBSCRIPT sansserif_D end_POSTSUBSCRIPT italic_n square-root start_ARG italic_Ξ² end_ARG .

      Since both D⁒(r)π·π‘ŸD(r)italic_D ( italic_r ) and (D+Yβ€²)⁒(r)𝐷superscriptπ‘Œβ€²π‘Ÿ(D+Y^{\prime})(r)( italic_D + italic_Y start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT ) ( italic_r ) are zero for r<βˆ’nβ’Ξ²π‘Ÿπ‘›π›½r<-n\sqrt{\beta}italic_r < - italic_n square-root start_ARG italic_Ξ² end_ARG and for r>1+nβ’Ξ²π‘Ÿ1𝑛𝛽r>1+n\sqrt{\beta}italic_r > 1 + italic_n square-root start_ARG italic_Ξ² end_ARG,

      Δ⁒(D,D+Yβ€²)Δ𝐷𝐷superscriptπ‘Œβ€²\displaystyle\Delta(D,D+Y^{\prime})roman_Ξ” ( italic_D , italic_D + italic_Y start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT ) =\displaystyle== βˆ«βˆ’n⁒β1+n⁒β|D⁒(r)βˆ’(D+Yβ€²)⁒(r)|⁒𝑑rsuperscriptsubscript𝑛𝛽1π‘›π›½π·π‘Ÿπ·superscriptπ‘Œβ€²π‘Ÿdifferential-dπ‘Ÿ\displaystyle\int_{-n\sqrt{\beta}}^{1+n\sqrt{\beta}}\left|D(r)-(D+Y^{\prime})(r)\right|dr∫ start_POSTSUBSCRIPT - italic_n square-root start_ARG italic_Ξ² end_ARG end_POSTSUBSCRIPT start_POSTSUPERSCRIPT 1 + italic_n square-root start_ARG italic_Ξ² end_ARG end_POSTSUPERSCRIPT | italic_D ( italic_r ) - ( italic_D + italic_Y start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT ) ( italic_r ) | italic_d italic_r (7)
      ≀\displaystyle\leq≀ (1+2⁒n⁒β)β‹…c𝖣⁒n⁒β⋅12𝑛𝛽subscript𝑐𝖣𝑛𝛽\displaystyle(1+2n\sqrt{\beta})\cdot{c_{\sf{D}}}n\sqrt{\beta}( 1 + 2 italic_n square-root start_ARG italic_Ξ² end_ARG ) β‹… italic_c start_POSTSUBSCRIPT sansserif_D end_POSTSUBSCRIPT italic_n square-root start_ARG italic_Ξ² end_ARG
      ≀\displaystyle\leq≀ (1+2⁒n1βˆ’cΞ²/2)β‹…c𝖣⁒n1βˆ’cΞ²/2≀2⁒c𝖣⁒n1βˆ’cΞ²/2β‹…12superscript𝑛1subscript𝑐𝛽2subscript𝑐𝖣superscript𝑛1subscript𝑐𝛽22subscript𝑐𝖣superscript𝑛1subscript𝑐𝛽2\displaystyle(1+2n^{1-{c_{\sf{\beta}}}/2})\cdot{c_{\sf{D}}}n^{1-{c_{\sf{\beta}}}/2}\leq 2{c_{\sf{D}}}n^{1-{c_{\sf{\beta}}}/2}( 1 + 2 italic_n start_POSTSUPERSCRIPT 1 - italic_c start_POSTSUBSCRIPT italic_Ξ² end_POSTSUBSCRIPT / 2 end_POSTSUPERSCRIPT ) β‹… italic_c start_POSTSUBSCRIPT sansserif_D end_POSTSUBSCRIPT italic_n start_POSTSUPERSCRIPT 1 - italic_c start_POSTSUBSCRIPT italic_Ξ² end_POSTSUBSCRIPT / 2 end_POSTSUPERSCRIPT ≀ 2 italic_c start_POSTSUBSCRIPT sansserif_D end_POSTSUBSCRIPT italic_n start_POSTSUPERSCRIPT 1 - italic_c start_POSTSUBSCRIPT italic_Ξ² end_POSTSUBSCRIPT / 2 end_POSTSUPERSCRIPT

      for large enough cΞ²subscript𝑐𝛽{c_{\sf{\beta}}}italic_c start_POSTSUBSCRIPT italic_Ξ² end_POSTSUBSCRIPT. Finally, combining Equations 4, 5, 6, 7 and using the triangle inequality, we obtain

      Δ⁒(Rβ€²,ThD)≀2⁒c𝖣⁒nβˆ’cΞΌ+2βˆ’Ξ©β’(n2)+2⁒c𝖣⁒n1βˆ’cΞ²/2≀nβˆ’cπ– βˆ’c𝖽/4Ξ”superscript𝑅′subscriptsuperscriptπ‘‡π·β„Ž2subscript𝑐𝖣superscript𝑛subscriptπ‘πœ‡superscript2Ξ©superscript𝑛22subscript𝑐𝖣superscript𝑛1subscript𝑐𝛽2superscript𝑛subscript𝑐𝖠subscript𝑐𝖽4\Delta(R^{\prime},T^{D}_{h})\leq 2{c_{\sf{D}}}n^{-{c_{\sf{\mu}}}}+2^{-\Omega(n^{2})}+2{c_{\sf{D}}}n^{1-{c_{\sf{\beta}}}/2}\leq n^{-{c_{\sf{A}}}-{c_{\sf{d}}}}/4roman_Ξ” ( italic_R start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT , italic_T start_POSTSUPERSCRIPT italic_D end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_h end_POSTSUBSCRIPT ) ≀ 2 italic_c start_POSTSUBSCRIPT sansserif_D end_POSTSUBSCRIPT italic_n start_POSTSUPERSCRIPT - italic_c start_POSTSUBSCRIPT italic_ΞΌ end_POSTSUBSCRIPT end_POSTSUPERSCRIPT + 2 start_POSTSUPERSCRIPT - roman_Ξ© ( italic_n start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT ) end_POSTSUPERSCRIPT + 2 italic_c start_POSTSUBSCRIPT sansserif_D end_POSTSUBSCRIPT italic_n start_POSTSUPERSCRIPT 1 - italic_c start_POSTSUBSCRIPT italic_Ξ² end_POSTSUBSCRIPT / 2 end_POSTSUPERSCRIPT ≀ italic_n start_POSTSUPERSCRIPT - italic_c start_POSTSUBSCRIPT sansserif_A end_POSTSUBSCRIPT - italic_c start_POSTSUBSCRIPT sansserif_d end_POSTSUBSCRIPT end_POSTSUPERSCRIPT / 4

      for large enough cΞ²subscript𝑐𝛽{c_{\sf{\beta}}}italic_c start_POSTSUBSCRIPT italic_Ξ² end_POSTSUBSCRIPT and cΞΌsubscriptπ‘πœ‡{c_{\sf{\mu}}}italic_c start_POSTSUBSCRIPT italic_ΞΌ end_POSTSUBSCRIPT. Β 

    This completes the proof of Lemma 7.1. Β 

We can now prove the main theorem of this section.

Theorem 7.3

For kβˆˆβ„•π‘˜β„•k\in\mathbb{N}italic_k ∈ blackboard_N, k<Nπ‘˜π‘k<Nitalic_k < italic_N, define the distribution Zksubscriptπ‘π‘˜Z_{k}italic_Z start_POSTSUBSCRIPT italic_k end_POSTSUBSCRIPT by Pr⁑(Zk=z)=2/Nβ‹…cos2⁑(π⁒k⁒z/N)normal-Prsubscriptπ‘π‘˜π‘§normal-β‹…2𝑁superscript2πœ‹π‘˜π‘§π‘\Pr(Z_{k}=z)=2/N\cdot\cos^{2}(\pi kz/N)roman_Pr ( italic_Z start_POSTSUBSCRIPT italic_k end_POSTSUBSCRIPT = italic_z ) = 2 / italic_N β‹… roman_cos start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT ( italic_Ο€ italic_k italic_z / italic_N ) for z=0,1,…,Nβˆ’1𝑧01normal-…𝑁1z=0,1,\ldots,N-1italic_z = 0 , 1 , … , italic_N - 1. Assume there exists an algorithm π’œπ’œ{\cal A}caligraphic_A that given a polynomial (in log⁑N𝑁\log Nroman_log italic_N) number of samples from Zksubscriptπ‘π‘˜Z_{k}italic_Z start_POSTSUBSCRIPT italic_k end_POSTSUBSCRIPT, returns kπ‘˜kitalic_k with probability exponentially close to 1. Then, there exists a solution to ncsuperscript𝑛𝑐n^{c}italic_n start_POSTSUPERSCRIPT italic_c end_POSTSUPERSCRIPT-uSVP for some c𝑐citalic_c.

We remark that it is possible to relax the assumptions of the theorem. It is enough if the algorithm returns kπ‘˜kitalic_k with non-negligible probability. Also, it is enough if the algorithm finds kπ‘˜kitalic_k only for some non-negligible fraction of all possible kπ‘˜kitalic_k’s.

  • Proof:

    Let D𝐷Ditalic_D be the distribution on [0,1)01[0,1)[ 0 , 1 ) given by D⁒(r)=2⁒cos2⁑(π⁒r)π·π‘Ÿ2superscript2πœ‹π‘ŸD(r)=2\cos^{2}(\pi r)italic_D ( italic_r ) = 2 roman_cos start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT ( italic_Ο€ italic_r ). An easy calculation shows that the absolute value of its derivative is at most 4⁒π4πœ‹4\pi4 italic_Ο€. Therefore, it satisfies the conditions stated before Lemma 7.1 with c𝖣=4⁒πsubscript𝑐𝖣4πœ‹{c_{\sf{D}}}=4\piitalic_c start_POSTSUBSCRIPT sansserif_D end_POSTSUBSCRIPT = 4 italic_Ο€. Using Lemma 7.1, it is enough to show how to distinguish between Uπ‘ˆUitalic_U and 𝒯nDsubscriptsuperscript𝒯𝐷𝑛{\cal T}^{D}_{n}caligraphic_T start_POSTSUPERSCRIPT italic_D end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT.

    Given an unknown distribution R𝑅Ritalic_R, let Rβ€²superscript𝑅′R^{\prime}italic_R start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT be the distribution given by ⌊Nβ‹…RβŒ‹β‹…π‘π‘…\lfloor N\cdot R\rfloor⌊ italic_N β‹… italic_R βŒ‹ where N𝑁Nitalic_N is chosen to be large enough, say, 22⁒c𝗁⁒n2superscript22subscript𝑐𝗁superscript𝑛22^{2{c_{\sf{h}}}n^{2}}2 start_POSTSUPERSCRIPT 2 italic_c start_POSTSUBSCRIPT sansserif_h end_POSTSUBSCRIPT italic_n start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT. We call π’œπ’œ{\cal A}caligraphic_A with enough samples from Rβ€²superscript𝑅′R^{\prime}italic_R start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT and obtain a value kπ‘˜kitalic_k. Finally, we take one sample rπ‘Ÿritalic_r from R𝑅Ritalic_R and accept if frc⁒(r⁒k)<1/4frcπ‘Ÿπ‘˜14\mathrm{frc}(rk)<1/4roman_frc ( italic_r italic_k ) < 1 / 4 and reject otherwise.

    First, consider the case where R𝑅Ritalic_R is the uniform distribution. Then no matter which value of kπ‘˜kitalic_k we obtain, the probability that frc⁒(r⁒k)<1/4frcπ‘Ÿπ‘˜14\mathrm{frc}(rk)<1/4roman_frc ( italic_r italic_k ) < 1 / 4 is exactly 1/2121/21 / 2. Now consider the case where R𝑅Ritalic_R is ThDsubscriptsuperscriptπ‘‡π·β„ŽT^{D}_{h}italic_T start_POSTSUPERSCRIPT italic_D end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_h end_POSTSUBSCRIPT for some h≀2c𝗁⁒n2β„Žsuperscript2subscript𝑐𝗁superscript𝑛2h\leq 2^{{c_{\sf{h}}}n^{2}}italic_h ≀ 2 start_POSTSUPERSCRIPT italic_c start_POSTSUBSCRIPT sansserif_h end_POSTSUBSCRIPT italic_n start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT. For any r=0,…,Nβˆ’1π‘Ÿ0…𝑁1r=0,\ldots,N-1italic_r = 0 , … , italic_N - 1, the probability that Rβ€²=rsuperscriptπ‘…β€²π‘ŸR^{\prime}=ritalic_R start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT = italic_r is given by

    ∫r/N(r+1)/ND⁒(h⁒x⁒mod⁒1)⁒𝑑x=∫r/N(r+1)/N2⁒cos2⁑(π⁒h⁒x)⁒𝑑x.superscriptsubscriptπ‘Ÿπ‘π‘Ÿ1π‘π·β„Žπ‘₯mod1differential-dπ‘₯superscriptsubscriptπ‘Ÿπ‘π‘Ÿ1𝑁2superscript2πœ‹β„Žπ‘₯differential-dπ‘₯\int_{r/N}^{(r+1)/N}D(hx~{}\mathrm{mod}~{}1)dx=\int_{r/N}^{(r+1)/N}2\cos^{2}(\pi hx)dx.∫ start_POSTSUBSCRIPT italic_r / italic_N end_POSTSUBSCRIPT start_POSTSUPERSCRIPT ( italic_r + 1 ) / italic_N end_POSTSUPERSCRIPT italic_D ( italic_h italic_x roman_mod 1 ) italic_d italic_x = ∫ start_POSTSUBSCRIPT italic_r / italic_N end_POSTSUBSCRIPT start_POSTSUPERSCRIPT ( italic_r + 1 ) / italic_N end_POSTSUPERSCRIPT 2 roman_cos start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT ( italic_Ο€ italic_h italic_x ) italic_d italic_x .

    From the bound on the derivative of D𝐷Ditalic_D mentioned above, we obtain that the distance of this integral from 2/Nβ‹…cos2⁑(π⁒h⁒r/N)β‹…2𝑁superscript2πœ‹β„Žπ‘Ÿπ‘2/N\cdot\cos^{2}(\pi hr/N)2 / italic_N β‹… roman_cos start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT ( italic_Ο€ italic_h italic_r / italic_N ) is at most 4⁒π2⁒h/N24superscriptπœ‹2β„Žsuperscript𝑁24\pi^{2}h/N^{2}4 italic_Ο€ start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT italic_h / italic_N start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT. Therefore, the statistical distance between Rβ€²superscript𝑅′R^{\prime}italic_R start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT and Zhsubscriptπ‘β„ŽZ_{h}italic_Z start_POSTSUBSCRIPT italic_h end_POSTSUBSCRIPT is

    Δ⁒(Zh,Rβ€²)≀N2β‹…4⁒π2⁒h/N2=2βˆ’Ξ©β’(n2).Ξ”subscriptπ‘β„Žsuperscript𝑅′⋅𝑁24superscriptπœ‹2β„Žsuperscript𝑁2superscript2Ξ©superscript𝑛2\Delta(Z_{h},R^{\prime})\leq\frac{N}{2}\cdot 4\pi^{2}h/N^{2}=2^{-\Omega(n^{2})}.roman_Ξ” ( italic_Z start_POSTSUBSCRIPT italic_h end_POSTSUBSCRIPT , italic_R start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT ) ≀ divide start_ARG italic_N end_ARG start_ARG 2 end_ARG β‹… 4 italic_Ο€ start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT italic_h / italic_N start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT = 2 start_POSTSUPERSCRIPT - roman_Ξ© ( italic_n start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT ) end_POSTSUPERSCRIPT .

    Since the number of samples given to π’œπ’œ{\cal A}caligraphic_A is only polynomial in n𝑛nitalic_n, its input is still within statistical distance 2βˆ’Ξ©β’(n2)superscript2Ξ©superscript𝑛22^{-\Omega(n^{2})}2 start_POSTSUPERSCRIPT - roman_Ξ© ( italic_n start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT ) end_POSTSUPERSCRIPT of Zhsubscriptπ‘β„ŽZ_{h}italic_Z start_POSTSUBSCRIPT italic_h end_POSTSUBSCRIPT and it therefore outputs hβ„Žhitalic_h with probability exponentially close to 1. Then, the probability that frc⁒(r⁒k)<1/4frcπ‘Ÿπ‘˜14\mathrm{frc}(rk)<1/4roman_frc ( italic_r italic_k ) < 1 / 4 is given by

    βˆ«βˆ’1/41/42⁒cos2⁑(π⁒r)⁒𝑑r=12+1Ο€.superscriptsubscript14142superscript2πœ‹π‘Ÿdifferential-dπ‘Ÿ121πœ‹\int_{-1/4}^{1/4}2\cos^{2}(\pi r)dr=\frac{1}{2}+\frac{1}{\pi}.∫ start_POSTSUBSCRIPT - 1 / 4 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT 1 / 4 end_POSTSUPERSCRIPT 2 roman_cos start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT ( italic_Ο€ italic_r ) italic_d italic_r = divide start_ARG 1 end_ARG start_ARG 2 end_ARG + divide start_ARG 1 end_ARG start_ARG italic_Ο€ end_ARG .

    Β 

8 Acknowledgements

I thank Irit Dinur for suggesting that I look at cryptographic constructions and Daniele Micciancio for many helpful comments on an earlier draft of this paper.

References

  • [1] M.Β Ajtai. Generating hard instances of lattice problems. In Proc. 28th ACM Symp. on Theory of Computing, pages 99–108, 1996.
  • [2] M.Β Ajtai and C.Β Dwork. A public-key cryptosystem with worst-case/average-case equivalence. In Proc. 29th ACM Symp. on Theory of Computing, pages 284–293, 1997.
  • [3] W.Β Banaszczyk. New bounds in some transference theorems in the geometry of numbers. Mathematische Annalen, 296(4):625–635, 1993.
  • [4] J.-Y. Cai. Applications of a new transference theorem to Ajtai’s connection factor. In Fourteenth Annual IEEE Conference on Computational Complexity (Atlanta, GA, 1999), pages 205–214. IEEE Computer Soc., Los Alamitos, CA, 1999.
  • [5] J.-Y. Cai and A.Β P. Nerurkar. An improved worst-case to average-case connection for lattice problems (extended abstract). In 38th Annual Symposium on Foundations of Computer Science, pages 468–477, 1997.
  • [6] M.Β Ettinger and P.Β HΓΈyer. On quantum algorithms for noncommutative hidden subgroups. Advances in Applied Mathematics, 25(3):239–251, 2000.
  • [7] O.Β Goldreich, S.Β Goldwasser, and S.Β Halevi. Collision-free hashing from lattice problems. In ECCCTR: Electronic Colloquium on Computational Complexity, technical reports, 1996.
  • [8] O.Β Goldreich, S.Β Goldwasser, and S.Β Halevi. Eliminating decryption errors in the Ajtai-Dwork cryptosystem. Lecture Notes in Computer Science, 1294:105, 1997.
  • [9] O.Β Goldreich, S.Β Goldwasser, and S.Β Halevi. Public-key cryptosystems from lattice reduction problems. In Advances in cryptology (CRYPTO) ’97 (Santa Barbara, CA, 1997), volume 1294 of Lecture Notes in Comput. Sci., pages 112–131. Springer, 1997.
  • [10] J.Β Hoffstein, J.Β Pipher, and J.Β H. Silverman. NTRU: a ring-based public key cryptosystem. In Algorithmic number theory (Portland, OR, 1998), volume 1423 of Lecture Notes in Comput. Sci., pages 267–288. Springer, 1998.
  • [11] R.Β Impagliazzo and M.Β Naor. Efficient cryptographic schemes provably as secure as subset sum. J. Cryptology, 9(4):199–216, 1996.
  • [12] A.Β K. Lenstra, H.Β W. Lenstra, Jr., and L.Β LovΓ‘sz. Factoring polynomials with rational coefficients. Math. Ann., 261(4):515–534, 1982.
  • [13] D.Β Micciancio. Improving lattice based cryptosystems using the hermite normal form. In Cryptography and Lattices Conference (CaLC), volume 2146 of Lecture Notes in Computer Science, pages 126–145, Providence, Rhode Island, March 2001. Springer-Verlag.
  • [14] D.Β Micciancio. Generalized compact knapsacks, cyclic lattices, and efficient one-way functions from worst-case complexity assumptions. In Proceedings of the 43rd Annual Symposium on Foundations of Computer Science (FOCS) 2002, Vancouver, Canada, November 2002.
  • [15] D.Β Micciancio. Improved cryptographic hash functions with worst-case/average-case connection. In Proceedings of the 34th Annual ACM Symposium on Theory of Computing (STOC) 2002, pages 609–618, Montreal, Canada, 2002.
  • [16] D.Β Micciancio and S.Β Goldwasser. Complexity of Lattice Problems: a cryptographic perspective, volume 671 of The Kluwer International Series in Engineering and Computer Science. Kluwer Academic Publishers, Boston, Massachusetts, March 2002.
  • [17] O.Β Regev. Quantum computation and lattice problems. In Proceedings of the 43rd Annual Symposium on Foundations of Computer Science (FOCS) 2002, Vancouver, Canada, November 2002.
  • [18] D.Β Ε tefankovič. Fourier transforms in computer science. Master’s Thesis, University of Chicago, Department of Computer Science, TR-2002-03.

Appendix A Several Technical Claims

Claim A.1

The probability that the distance of a normal variable with variance Οƒ2superscript𝜎2\sigma^{2}italic_Οƒ start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT from its mean is more than t𝑑titalic_t is at most 2Ο€β‹…Οƒt⁒eβˆ’t22⁒σ2normal-β‹…2πœ‹πœŽπ‘‘superscript𝑒superscript𝑑22superscript𝜎2\sqrt{\frac{2}{\pi}}\cdot\frac{\sigma}{t}e^{-\frac{t^{2}}{2\sigma^{2}}}square-root start_ARG divide start_ARG 2 end_ARG start_ARG italic_Ο€ end_ARG end_ARG β‹… divide start_ARG italic_Οƒ end_ARG start_ARG italic_t end_ARG italic_e start_POSTSUPERSCRIPT - divide start_ARG italic_t start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG start_ARG 2 italic_Οƒ start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG end_POSTSUPERSCRIPT.

  • Proof:
    ∫t∞12⁒π⁒σ⁒eβˆ’x22⁒σ2⁒𝑑xβ‰€βˆ«t∞(1+Οƒ2x2)⁒12⁒π⁒σ⁒eβˆ’x22⁒σ2⁒𝑑x=βˆ’12⁒π⁒σ⋅σ2x⁒eβˆ’x22⁒σ2|x=t∞=Οƒ2⁒π⁒t⁒eβˆ’t22⁒σ2.superscriptsubscript𝑑12πœ‹πœŽsuperscript𝑒superscriptπ‘₯22superscript𝜎2differential-dπ‘₯superscriptsubscript𝑑1superscript𝜎2superscriptπ‘₯212πœ‹πœŽsuperscript𝑒superscriptπ‘₯22superscript𝜎2differential-dπ‘₯evaluated-atβ‹…12πœ‹πœŽsuperscript𝜎2π‘₯superscript𝑒superscriptπ‘₯22superscript𝜎2π‘₯π‘‘πœŽ2πœ‹π‘‘superscript𝑒superscript𝑑22superscript𝜎2\int_{t}^{\infty}\frac{1}{\sqrt{2\pi}\sigma}e^{-\frac{x^{2}}{2\sigma^{2}}}dx\leq\int_{t}^{\infty}(1+\frac{\sigma^{2}}{x^{2}})\frac{1}{\sqrt{2\pi}\sigma}e^{-\frac{x^{2}}{2\sigma^{2}}}dx=-\frac{1}{\sqrt{2\pi}\sigma}\cdot\frac{\sigma^{2}}{x}e^{-\frac{x^{2}}{2\sigma^{2}}}\bigg{|}_{x=t}^{\infty}=\frac{\sigma}{\sqrt{2\pi}t}e^{-\frac{t^{2}}{2\sigma^{2}}}.∫ start_POSTSUBSCRIPT italic_t end_POSTSUBSCRIPT start_POSTSUPERSCRIPT ∞ end_POSTSUPERSCRIPT divide start_ARG 1 end_ARG start_ARG square-root start_ARG 2 italic_Ο€ end_ARG italic_Οƒ end_ARG italic_e start_POSTSUPERSCRIPT - divide start_ARG italic_x start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG start_ARG 2 italic_Οƒ start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG end_POSTSUPERSCRIPT italic_d italic_x ≀ ∫ start_POSTSUBSCRIPT italic_t end_POSTSUBSCRIPT start_POSTSUPERSCRIPT ∞ end_POSTSUPERSCRIPT ( 1 + divide start_ARG italic_Οƒ start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG start_ARG italic_x start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG ) divide start_ARG 1 end_ARG start_ARG square-root start_ARG 2 italic_Ο€ end_ARG italic_Οƒ end_ARG italic_e start_POSTSUPERSCRIPT - divide start_ARG italic_x start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG start_ARG 2 italic_Οƒ start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG end_POSTSUPERSCRIPT italic_d italic_x = - divide start_ARG 1 end_ARG start_ARG square-root start_ARG 2 italic_Ο€ end_ARG italic_Οƒ end_ARG β‹… divide start_ARG italic_Οƒ start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG start_ARG italic_x end_ARG italic_e start_POSTSUPERSCRIPT - divide start_ARG italic_x start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG start_ARG 2 italic_Οƒ start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG end_POSTSUPERSCRIPT | start_POSTSUBSCRIPT italic_x = italic_t end_POSTSUBSCRIPT start_POSTSUPERSCRIPT ∞ end_POSTSUPERSCRIPT = divide start_ARG italic_Οƒ end_ARG start_ARG square-root start_ARG 2 italic_Ο€ end_ARG italic_t end_ARG italic_e start_POSTSUPERSCRIPT - divide start_ARG italic_t start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG start_ARG 2 italic_Οƒ start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_ARG end_POSTSUPERSCRIPT .

    Β 

Claim A.2
βˆ€x,rβˆˆβ„,βˆ‘kβˆˆβ„€eβˆ’Ο€β’(k⁒r+x)2≀1+1rformulae-sequencefor-allπ‘₯π‘Ÿβ„subscriptπ‘˜β„€superscriptπ‘’πœ‹superscriptπ‘˜π‘Ÿπ‘₯211π‘Ÿ\forall x,r\in\mathbb{R},~{}~{}\sum_{k\in{\mathbb{Z}}}e^{-\pi(kr+x)^{2}}\leq 1+\frac{1}{r}βˆ€ italic_x , italic_r ∈ blackboard_R , βˆ‘ start_POSTSUBSCRIPT italic_k ∈ blackboard_Z end_POSTSUBSCRIPT italic_e start_POSTSUPERSCRIPT - italic_Ο€ ( italic_k italic_r + italic_x ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT ≀ 1 + divide start_ARG 1 end_ARG start_ARG italic_r end_ARG
  • Proof:

    Let kβ€²βˆˆβ„€superscriptπ‘˜β€²β„€k^{\prime}\in{\mathbb{Z}}italic_k start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT ∈ blackboard_Z be such that |k⁒r+x|π‘˜π‘Ÿπ‘₯|kr+x|| italic_k italic_r + italic_x | is minimized. Then,

    βˆ‘kβˆˆβ„€eβˆ’Ο€β’(k⁒r+x)2≀1+βˆ‘kβˆˆβ„€βˆ–{kβ€²}eβˆ’Ο€β’(k⁒r+x)2=1+1rβ’βˆ‘kβˆˆβ„€βˆ–{kβ€²}rβ‹…eβˆ’Ο€β’(k⁒r+x)2≀subscriptπ‘˜β„€superscriptπ‘’πœ‹superscriptπ‘˜π‘Ÿπ‘₯21subscriptπ‘˜β„€superscriptπ‘˜β€²superscriptπ‘’πœ‹superscriptπ‘˜π‘Ÿπ‘₯211π‘Ÿsubscriptπ‘˜β„€superscriptπ‘˜β€²β‹…π‘Ÿsuperscriptπ‘’πœ‹superscriptπ‘˜π‘Ÿπ‘₯2absent\displaystyle\sum_{k\in{\mathbb{Z}}}e^{-\pi(kr+x)^{2}}\leq 1+\sum_{k\in{\mathbb{Z}}\setminus\{k^{\prime}\}}e^{-\pi(kr+x)^{2}}=1+\frac{1}{r}\sum_{k\in{\mathbb{Z}}\setminus\{k^{\prime}\}}r\cdot e^{-\pi(kr+x)^{2}}\leqβˆ‘ start_POSTSUBSCRIPT italic_k ∈ blackboard_Z end_POSTSUBSCRIPT italic_e start_POSTSUPERSCRIPT - italic_Ο€ ( italic_k italic_r + italic_x ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT ≀ 1 + βˆ‘ start_POSTSUBSCRIPT italic_k ∈ blackboard_Z βˆ– { italic_k start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT } end_POSTSUBSCRIPT italic_e start_POSTSUPERSCRIPT - italic_Ο€ ( italic_k italic_r + italic_x ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT = 1 + divide start_ARG 1 end_ARG start_ARG italic_r end_ARG βˆ‘ start_POSTSUBSCRIPT italic_k ∈ blackboard_Z βˆ– { italic_k start_POSTSUPERSCRIPT β€² end_POSTSUPERSCRIPT } end_POSTSUBSCRIPT italic_r β‹… italic_e start_POSTSUPERSCRIPT - italic_Ο€ ( italic_k italic_r + italic_x ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT ≀
    1+1rβ’βˆ«βˆ’βˆžβˆžeβˆ’Ο€β’y2⁒𝑑y=1+1r11π‘Ÿsuperscriptsubscriptsuperscriptπ‘’πœ‹superscript𝑦2differential-d𝑦11π‘Ÿ\displaystyle 1+\frac{1}{r}\int_{-\infty}^{\infty}e^{-\pi y^{2}}dy=1+\frac{1}{r}1 + divide start_ARG 1 end_ARG start_ARG italic_r end_ARG ∫ start_POSTSUBSCRIPT - ∞ end_POSTSUBSCRIPT start_POSTSUPERSCRIPT ∞ end_POSTSUPERSCRIPT italic_e start_POSTSUPERSCRIPT - italic_Ο€ italic_y start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT italic_d italic_y = 1 + divide start_ARG 1 end_ARG start_ARG italic_r end_ARG

    where changing the sum to an integral is possible because the sum can be seen as the area under a function that lies completely below eβˆ’Ο€β’y2superscriptπ‘’πœ‹superscript𝑦2e^{-\pi y^{2}}italic_e start_POSTSUPERSCRIPT - italic_Ο€ italic_y start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT. Β 

Claim A.3

For any a,xβˆˆβ„π‘Žπ‘₯ℝa,x\in\mathbb{R}italic_a , italic_x ∈ blackboard_R and any b>12⁒π+1𝑏12πœ‹1b>\frac{1}{\sqrt{2\pi}}+1italic_b > divide start_ARG 1 end_ARG start_ARG square-root start_ARG 2 italic_Ο€ end_ARG end_ARG + 1, |dd⁒xβ’βˆ‘kβˆˆβ„€eβˆ’Ο€β’(b⁒k+a⁒x)2|≀c~⁒a𝑑𝑑π‘₯subscriptπ‘˜β„€superscriptπ‘’πœ‹superscriptπ‘π‘˜π‘Žπ‘₯2normal-~π‘π‘Ž{\left|{\frac{d}{dx}\sum_{k\in{\mathbb{Z}}}e^{-\pi(bk+ax)^{2}}}\right|}\leq{\tilde{c}}a| divide start_ARG italic_d end_ARG start_ARG italic_d italic_x end_ARG βˆ‘ start_POSTSUBSCRIPT italic_k ∈ blackboard_Z end_POSTSUBSCRIPT italic_e start_POSTSUPERSCRIPT - italic_Ο€ ( italic_b italic_k + italic_a italic_x ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT | ≀ over~ start_ARG italic_c end_ARG italic_a

  • Proof:

    Let z𝑧zitalic_z denote aβ‹…xβ‹…π‘Žπ‘₯a\cdot xitalic_a β‹… italic_x. Then,

    |dd⁒xβ’βˆ‘kβˆˆβ„€eβˆ’Ο€β’(b⁒k+a⁒x)2|=a⁒|dd⁒zβ’βˆ‘kβˆˆβ„€eβˆ’Ο€β’(b⁒k+z)2|=𝑑𝑑π‘₯subscriptπ‘˜β„€superscriptπ‘’πœ‹superscriptπ‘π‘˜π‘Žπ‘₯2π‘Žπ‘‘π‘‘π‘§subscriptπ‘˜β„€superscriptπ‘’πœ‹superscriptπ‘π‘˜π‘§2absent\displaystyle{\left|{\frac{d}{dx}\sum_{k\in{\mathbb{Z}}}e^{-\pi(bk+ax)^{2}}}\right|}=a{\left|{\frac{d}{dz}\sum_{k\in{\mathbb{Z}}}e^{-\pi(bk+z)^{2}}}\right|}=| divide start_ARG italic_d end_ARG start_ARG italic_d italic_x end_ARG βˆ‘ start_POSTSUBSCRIPT italic_k ∈ blackboard_Z end_POSTSUBSCRIPT italic_e start_POSTSUPERSCRIPT - italic_Ο€ ( italic_b italic_k + italic_a italic_x ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT | = italic_a | divide start_ARG italic_d end_ARG start_ARG italic_d italic_z end_ARG βˆ‘ start_POSTSUBSCRIPT italic_k ∈ blackboard_Z end_POSTSUBSCRIPT italic_e start_POSTSUPERSCRIPT - italic_Ο€ ( italic_b italic_k + italic_z ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT | =
    a⁒|βˆ‘kβˆˆβ„€βˆ’2⁒π⁒(b⁒k+z)⁒eβˆ’Ο€β’(b⁒k+z)2|β‰€π‘Žsubscriptπ‘˜β„€2πœ‹π‘π‘˜π‘§superscriptπ‘’πœ‹superscriptπ‘π‘˜π‘§2absent\displaystyle a{\left|{\sum_{k\in{\mathbb{Z}}}-2\pi(bk+z)e^{-\pi(bk+z)^{2}}}\right|}\leqitalic_a | βˆ‘ start_POSTSUBSCRIPT italic_k ∈ blackboard_Z end_POSTSUBSCRIPT - 2 italic_Ο€ ( italic_b italic_k + italic_z ) italic_e start_POSTSUPERSCRIPT - italic_Ο€ ( italic_b italic_k + italic_z ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT | ≀
    aβ’βˆ‘kβˆˆβ„€|2⁒π⁒(b⁒k+z)⁒eβˆ’Ο€β’(b⁒k+z)2|π‘Žsubscriptπ‘˜β„€2πœ‹π‘π‘˜π‘§superscriptπ‘’πœ‹superscriptπ‘π‘˜π‘§2\displaystyle a\sum_{k\in{\mathbb{Z}}}{\left|{2\pi(bk+z)e^{-\pi(bk+z)^{2}}}\right|}italic_a βˆ‘ start_POSTSUBSCRIPT italic_k ∈ blackboard_Z end_POSTSUBSCRIPT | 2 italic_Ο€ ( italic_b italic_k + italic_z ) italic_e start_POSTSUPERSCRIPT - italic_Ο€ ( italic_b italic_k + italic_z ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT |

    In the following we will upper bound

    βˆ‘k∈{0,1,…}|2⁒π⁒(b⁒k+y)⁒eβˆ’Ο€β’(b⁒k+y)2|subscriptπ‘˜01…2πœ‹π‘π‘˜π‘¦superscriptπ‘’πœ‹superscriptπ‘π‘˜π‘¦2\sum_{k\in\{0,1,\ldots\}}{\left|{2\pi(bk+y)e^{-\pi(bk+y)^{2}}}\right|}βˆ‘ start_POSTSUBSCRIPT italic_k ∈ { 0 , 1 , … } end_POSTSUBSCRIPT | 2 italic_Ο€ ( italic_b italic_k + italic_y ) italic_e start_POSTSUPERSCRIPT - italic_Ο€ ( italic_b italic_k + italic_y ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT |

    where y∈[0,b]𝑦0𝑏y\in[0,b]italic_y ∈ [ 0 , italic_b ]. The upper bound for the original expression is clearly at most 2⁒a2π‘Ž2a2 italic_a times this value. The function |2⁒π⁒y⁒eβˆ’Ο€β’y2|2πœ‹π‘¦superscriptπ‘’πœ‹superscript𝑦2|2\pi ye^{-\pi y^{2}}|| 2 italic_Ο€ italic_y italic_e start_POSTSUPERSCRIPT - italic_Ο€ italic_y start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT | is increasing from 00 to 12⁒π12πœ‹\frac{1}{\sqrt{2\pi}}divide start_ARG 1 end_ARG start_ARG square-root start_ARG 2 italic_Ο€ end_ARG end_ARG where it attains the maximum value of 2⁒π⁒e2πœ‹π‘’\sqrt{2\pi e}square-root start_ARG 2 italic_Ο€ italic_e end_ARG. After that point it is monotonically decreasing. Hence,

    βˆ‘kβˆˆβ„•|2⁒π⁒(b⁒k+y)⁒eβˆ’Ο€β’(b⁒k+y)2|=subscriptπ‘˜β„•2πœ‹π‘π‘˜π‘¦superscriptπ‘’πœ‹superscriptπ‘π‘˜π‘¦2absent\displaystyle\sum_{k\in\mathbb{N}}{\left|{2\pi(bk+y)e^{-\pi(bk+y)^{2}}}\right|}=βˆ‘ start_POSTSUBSCRIPT italic_k ∈ blackboard_N end_POSTSUBSCRIPT | 2 italic_Ο€ ( italic_b italic_k + italic_y ) italic_e start_POSTSUPERSCRIPT - italic_Ο€ ( italic_b italic_k + italic_y ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT | =
    |2⁒π⁒y⁒eβˆ’Ο€β’y2|+βˆ‘k∈{1,2,…}|2⁒π⁒(b⁒k+y)⁒eβˆ’Ο€β’(b⁒k+y)2|≀2πœ‹π‘¦superscriptπ‘’πœ‹superscript𝑦2subscriptπ‘˜12…2πœ‹π‘π‘˜π‘¦superscriptπ‘’πœ‹superscriptπ‘π‘˜π‘¦2absent\displaystyle{\left|{2\pi ye^{-\pi y^{2}}}\right|}+\sum_{k\in\{1,2,\ldots\}}{\left|{2\pi(bk+y)e^{-\pi(bk+y)^{2}}}\right|}\leq| 2 italic_Ο€ italic_y italic_e start_POSTSUPERSCRIPT - italic_Ο€ italic_y start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT | + βˆ‘ start_POSTSUBSCRIPT italic_k ∈ { 1 , 2 , … } end_POSTSUBSCRIPT | 2 italic_Ο€ ( italic_b italic_k + italic_y ) italic_e start_POSTSUPERSCRIPT - italic_Ο€ ( italic_b italic_k + italic_y ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT | ≀
    2⁒π⁒e+∫0∞|2⁒π⁒y⁒eβˆ’Ο€β’y2|⁒𝑑y=2⁒π⁒e+12πœ‹π‘’superscriptsubscript02πœ‹π‘¦superscriptπ‘’πœ‹superscript𝑦2differential-d𝑦2πœ‹π‘’1\displaystyle\sqrt{2\pi e}+\int_{0}^{\infty}{\left|{2\pi ye^{-\pi y^{2}}}\right|}dy=\sqrt{2\pi e}+1square-root start_ARG 2 italic_Ο€ italic_e end_ARG + ∫ start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT ∞ end_POSTSUPERSCRIPT | 2 italic_Ο€ italic_y italic_e start_POSTSUPERSCRIPT - italic_Ο€ italic_y start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT | italic_d italic_y = square-root start_ARG 2 italic_Ο€ italic_e end_ARG + 1

    where changing from summation to integration is possible because bβ‰₯1𝑏1b\geq 1italic_b β‰₯ 1 and because the function is decreasing from 12⁒π12πœ‹\frac{1}{\sqrt{2\pi}}divide start_ARG 1 end_ARG start_ARG square-root start_ARG 2 italic_Ο€ end_ARG end_ARG and the first y𝑦yitalic_y in the sum is at least 12⁒π+112πœ‹1\frac{1}{\sqrt{2\pi}}+1divide start_ARG 1 end_ARG start_ARG square-root start_ARG 2 italic_Ο€ end_ARG end_ARG + 1. Β 

Claim A.4

Let L𝐿Litalic_L be a lattice and let f:ℝn→ℝnormal-:𝑓normal-β†’superscriptℝ𝑛ℝf:\mathbb{R}^{n}\rightarrow\mathbb{R}italic_f : blackboard_R start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT β†’ blackboard_R be periodic on L𝐿Litalic_L, i.e., f⁒(x)=f⁒(x+y)𝑓π‘₯𝑓π‘₯𝑦f(x)=f(x+y)italic_f ( italic_x ) = italic_f ( italic_x + italic_y ) for all xβˆˆβ„nπ‘₯superscriptℝ𝑛x\in\mathbb{R}^{n}italic_x ∈ blackboard_R start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT and y∈L𝑦𝐿y\in Litalic_y ∈ italic_L. Then, for any two bases v1,…,vnsubscript𝑣1normal-…subscript𝑣𝑛v_{1},\ldots,v_{n}italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT and u1,…,unsubscript𝑒1normal-…subscript𝑒𝑛u_{1},\ldots,u_{n}italic_u start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_u start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT of L𝐿Litalic_L,

βˆ«π’«β’(v1,…,vn)f⁒(x)⁒𝑑x=βˆ«π’«β’(u1,…,un)f⁒(x)⁒𝑑x.subscript𝒫subscript𝑣1…subscript𝑣𝑛𝑓π‘₯differential-dπ‘₯subscript𝒫subscript𝑒1…subscript𝑒𝑛𝑓π‘₯differential-dπ‘₯\int_{{\cal P}(v_{1},\ldots,v_{n})}f(x)dx=\int_{{\cal P}(u_{1},\ldots,u_{n})}f(x)dx.∫ start_POSTSUBSCRIPT caligraphic_P ( italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT ) end_POSTSUBSCRIPT italic_f ( italic_x ) italic_d italic_x = ∫ start_POSTSUBSCRIPT caligraphic_P ( italic_u start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_u start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT ) end_POSTSUBSCRIPT italic_f ( italic_x ) italic_d italic_x .
  • Proof:

    One can get from one basis of a lattice to any other by a finite sequence of operations of the following two types: replace vector visubscript𝑣𝑖v_{i}italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT by βˆ’visubscript𝑣𝑖-v_{i}- italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT and replace vector visubscript𝑣𝑖v_{i}italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT by vi+vjsubscript𝑣𝑖subscript𝑣𝑗v_{i}+v_{j}italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT + italic_v start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT for some iβ‰ j𝑖𝑗i\neq jitalic_i β‰  italic_j. Hence, it is enough to show that the integral is invariant under these two operations. Define the following β€˜half’ parallelepipeds:

    𝒫1={βˆ‘i=1nΞ±i⁒vi|Ξ±i∈[0,1),Ξ±2β‰₯Ξ±1}subscript𝒫1conditional-setsuperscriptsubscript𝑖1𝑛subscript𝛼𝑖subscript𝑣𝑖formulae-sequencesubscript𝛼𝑖01subscript𝛼2subscript𝛼1{\cal P}_{1}=\{\sum_{i=1}^{n}\alpha_{i}v_{i}~{}|~{}\alpha_{i}\in[0,1),~{}\alpha_{2}\geq\alpha_{1}\}caligraphic_P start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT = { βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT italic_Ξ± start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT | italic_Ξ± start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ∈ [ 0 , 1 ) , italic_Ξ± start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT β‰₯ italic_Ξ± start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT }
    𝒫2={βˆ‘i=1nΞ±i⁒vi|Ξ±i∈[0,1),Ξ±2<Ξ±1}subscript𝒫2conditional-setsuperscriptsubscript𝑖1𝑛subscript𝛼𝑖subscript𝑣𝑖formulae-sequencesubscript𝛼𝑖01subscript𝛼2subscript𝛼1{\cal P}_{2}=\{\sum_{i=1}^{n}\alpha_{i}v_{i}~{}|~{}\alpha_{i}\in[0,1),~{}\alpha_{2}<\alpha_{1}\}caligraphic_P start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT = { βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT italic_Ξ± start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT | italic_Ξ± start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ∈ [ 0 , 1 ) , italic_Ξ± start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT < italic_Ξ± start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT }
    𝒫3={βˆ‘i=1nΞ±i⁒vi+v2|Ξ±i∈[0,1),Ξ±2<Ξ±1}subscript𝒫3conditional-setsuperscriptsubscript𝑖1𝑛subscript𝛼𝑖subscript𝑣𝑖subscript𝑣2formulae-sequencesubscript𝛼𝑖01subscript𝛼2subscript𝛼1{\cal P}_{3}=\{\sum_{i=1}^{n}\alpha_{i}v_{i}+v_{2}~{}|~{}\alpha_{i}\in[0,1),~{}\alpha_{2}<\alpha_{1}\}caligraphic_P start_POSTSUBSCRIPT 3 end_POSTSUBSCRIPT = { βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT italic_Ξ± start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT + italic_v start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT | italic_Ξ± start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ∈ [ 0 , 1 ) , italic_Ξ± start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT < italic_Ξ± start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT }

    Note that 𝒫⁒(v1,…,vn)𝒫subscript𝑣1…subscript𝑣𝑛{\cal P}(v_{1},\ldots,v_{n})caligraphic_P ( italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT ) is equal to 𝒫1βˆͺ𝒫2subscript𝒫1subscript𝒫2{\cal P}_{1}\cup{\cal P}_{2}caligraphic_P start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT βˆͺ caligraphic_P start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT and 𝒫⁒(v1+v2,v2,…,vn)=𝒫1βˆͺ𝒫3𝒫subscript𝑣1subscript𝑣2subscript𝑣2…subscript𝑣𝑛subscript𝒫1subscript𝒫3{\cal P}(v_{1}+v_{2},v_{2},\ldots,v_{n})={\cal P}_{1}\cup{\cal P}_{3}caligraphic_P ( italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT + italic_v start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT , italic_v start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT ) = caligraphic_P start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT βˆͺ caligraphic_P start_POSTSUBSCRIPT 3 end_POSTSUBSCRIPT. But since 𝒫3subscript𝒫3{\cal P}_{3}caligraphic_P start_POSTSUBSCRIPT 3 end_POSTSUBSCRIPT is a shift of 𝒫2subscript𝒫2{\cal P}_{2}caligraphic_P start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT by v2∈Lsubscript𝑣2𝐿v_{2}\in Litalic_v start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT ∈ italic_L,

    βˆ«π’«β’(L)f⁒(x)⁒𝑑x=βˆ«π’«1+βˆ«π’«2f⁒(x)⁒𝑑x=βˆ«π’«1+βˆ«π’«3f⁒(x)⁒𝑑x=βˆ«π’«β’(v1+v2,v2,…,vn)f⁒(x)⁒𝑑x.subscript𝒫𝐿𝑓π‘₯differential-dπ‘₯subscriptsubscript𝒫1subscriptsubscript𝒫2𝑓π‘₯differential-dπ‘₯subscriptsubscript𝒫1subscriptsubscript𝒫3𝑓π‘₯differential-dπ‘₯subscript𝒫subscript𝑣1subscript𝑣2subscript𝑣2…subscript𝑣𝑛𝑓π‘₯differential-dπ‘₯\int_{{\cal P}(L)}f(x)dx=\int_{{\cal P}_{1}}+\int_{{\cal P}_{2}}f(x)dx=\int_{{\cal P}_{1}}+\int_{{\cal P}_{3}}f(x)dx=\int_{{\cal P}(v_{1}+v_{2},v_{2},\ldots,v_{n})}f(x)dx.∫ start_POSTSUBSCRIPT caligraphic_P ( italic_L ) end_POSTSUBSCRIPT italic_f ( italic_x ) italic_d italic_x = ∫ start_POSTSUBSCRIPT caligraphic_P start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT end_POSTSUBSCRIPT + ∫ start_POSTSUBSCRIPT caligraphic_P start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT end_POSTSUBSCRIPT italic_f ( italic_x ) italic_d italic_x = ∫ start_POSTSUBSCRIPT caligraphic_P start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT end_POSTSUBSCRIPT + ∫ start_POSTSUBSCRIPT caligraphic_P start_POSTSUBSCRIPT 3 end_POSTSUBSCRIPT end_POSTSUBSCRIPT italic_f ( italic_x ) italic_d italic_x = ∫ start_POSTSUBSCRIPT caligraphic_P ( italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT + italic_v start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT , italic_v start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT ) end_POSTSUBSCRIPT italic_f ( italic_x ) italic_d italic_x .

    A similar argument shows that the integral is invariant under negation of basis vectors. Β 

Claim A.5

For any vector v∈L𝑣𝐿v\in Litalic_v ∈ italic_L,

βˆ«π’«β’(L*)βˆ‘kβˆˆβ„€eβˆ’Ο€β’(k+⟨v,xβŸ©β€–vβ€–)2⁒d⁒x=β€–v‖⁒d⁒(L*).subscript𝒫superscript𝐿subscriptπ‘˜β„€superscriptπ‘’πœ‹superscriptπ‘˜π‘£π‘₯norm𝑣2𝑑π‘₯norm𝑣𝑑superscript𝐿\int_{{\cal P}(L^{*})}\sum_{k\in{\mathbb{Z}}}e^{-\pi(\frac{k+{\langle{v,x}\rangle}}{\|v\|})^{2}}dx=\|v\|d(L^{*}).∫ start_POSTSUBSCRIPT caligraphic_P ( italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT ) end_POSTSUBSCRIPT βˆ‘ start_POSTSUBSCRIPT italic_k ∈ blackboard_Z end_POSTSUBSCRIPT italic_e start_POSTSUPERSCRIPT - italic_Ο€ ( divide start_ARG italic_k + ⟨ italic_v , italic_x ⟩ end_ARG start_ARG βˆ₯ italic_v βˆ₯ end_ARG ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT italic_d italic_x = βˆ₯ italic_v βˆ₯ italic_d ( italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT ) .
  • Proof:

    Define

    f⁒(x):=βˆ‘kβˆˆβ„€eβˆ’Ο€β’(k+⟨v,xβŸ©β€–vβ€–)2.assign𝑓π‘₯subscriptπ‘˜β„€superscriptπ‘’πœ‹superscriptπ‘˜π‘£π‘₯norm𝑣2f(x):=\sum_{k\in{\mathbb{Z}}}e^{-\pi(\frac{k+{\langle{v,x}\rangle}}{\|v\|})^{2}}.italic_f ( italic_x ) := βˆ‘ start_POSTSUBSCRIPT italic_k ∈ blackboard_Z end_POSTSUBSCRIPT italic_e start_POSTSUPERSCRIPT - italic_Ο€ ( divide start_ARG italic_k + ⟨ italic_v , italic_x ⟩ end_ARG start_ARG βˆ₯ italic_v βˆ₯ end_ARG ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT .

    Notice that for any w∈L*𝑀superscript𝐿w\in L^{*}italic_w ∈ italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT, f⁒(x)=f⁒(x+w)𝑓π‘₯𝑓π‘₯𝑀f(x)=f(x+w)italic_f ( italic_x ) = italic_f ( italic_x + italic_w ) since ⟨v,wβŸ©βˆˆβ„€π‘£π‘€β„€{\langle{v,w}\rangle}\in{\mathbb{Z}}⟨ italic_v , italic_w ⟩ ∈ blackboard_Z and hence f𝑓fitalic_f is periodic on L*superscript𝐿L^{*}italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT. Consider the basis for L*superscript𝐿L^{*}italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT given by any basis of the lattice L*∩vβŠ₯superscript𝐿superscript𝑣bottomL^{*}\cap v^{\bot}italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT ∩ italic_v start_POSTSUPERSCRIPT βŠ₯ end_POSTSUPERSCRIPT and any vector w𝑀witalic_w in L*superscript𝐿L^{*}italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT such that ⟨w,v⟩=1𝑀𝑣1{\langle{w,v}\rangle}=1⟨ italic_w , italic_v ⟩ = 1. Let 𝒫𝒫{\cal P}caligraphic_P denote the corresponding parallelepiped. Then, using Claim A.4,

    βˆ«π’«β’(L*)f⁒(x)⁒𝑑xsubscript𝒫superscript𝐿𝑓π‘₯differential-dπ‘₯\displaystyle\int_{{\cal P}(L^{*})}f(x)dx∫ start_POSTSUBSCRIPT caligraphic_P ( italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT ) end_POSTSUBSCRIPT italic_f ( italic_x ) italic_d italic_x =\displaystyle== βˆ«π’«f⁒(x)⁒𝑑x=1β€–vβ€–β’βˆ«01βˆ«π’«βˆ©{y|⟨y,v⟩=a}f⁒(x)⁒𝑑x⁒𝑑asubscript𝒫𝑓π‘₯differential-dπ‘₯1norm𝑣superscriptsubscript01subscript𝒫conditional-setπ‘¦π‘¦π‘£π‘Žπ‘“π‘₯differential-dπ‘₯differential-dπ‘Ž\displaystyle\int_{{\cal P}}f(x)dx=\frac{1}{\|v\|}\int_{0}^{1}\int_{{\cal P}\cap\{y|{\langle{y,v}\rangle}=a\}}f(x)dx~{}da∫ start_POSTSUBSCRIPT caligraphic_P end_POSTSUBSCRIPT italic_f ( italic_x ) italic_d italic_x = divide start_ARG 1 end_ARG start_ARG βˆ₯ italic_v βˆ₯ end_ARG ∫ start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT 1 end_POSTSUPERSCRIPT ∫ start_POSTSUBSCRIPT caligraphic_P ∩ { italic_y | ⟨ italic_y , italic_v ⟩ = italic_a } end_POSTSUBSCRIPT italic_f ( italic_x ) italic_d italic_x italic_d italic_a
    =\displaystyle== 1β€–vβ€–β’βˆ«01βˆ«π’«βˆ©{y|⟨y,v⟩=a}βˆ‘kβˆˆβ„€eβˆ’Ο€β’(k+aβ€–vβ€–)2⁒d⁒x⁒d⁒a1norm𝑣superscriptsubscript01subscript𝒫conditional-setπ‘¦π‘¦π‘£π‘Žsubscriptπ‘˜β„€superscriptπ‘’πœ‹superscriptπ‘˜π‘Žnorm𝑣2𝑑π‘₯π‘‘π‘Ž\displaystyle\frac{1}{\|v\|}\int_{0}^{1}\int_{{\cal P}\cap\{y|{\langle{y,v}\rangle}=a\}}\sum_{k\in{\mathbb{Z}}}e^{-\pi(\frac{k+a}{\|v\|})^{2}}dx~{}dadivide start_ARG 1 end_ARG start_ARG βˆ₯ italic_v βˆ₯ end_ARG ∫ start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT 1 end_POSTSUPERSCRIPT ∫ start_POSTSUBSCRIPT caligraphic_P ∩ { italic_y | ⟨ italic_y , italic_v ⟩ = italic_a } end_POSTSUBSCRIPT βˆ‘ start_POSTSUBSCRIPT italic_k ∈ blackboard_Z end_POSTSUBSCRIPT italic_e start_POSTSUPERSCRIPT - italic_Ο€ ( divide start_ARG italic_k + italic_a end_ARG start_ARG βˆ₯ italic_v βˆ₯ end_ARG ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT italic_d italic_x italic_d italic_a
    =\displaystyle== 1β€–vβ€–β’βˆ«01β€–v‖⁒d⁒(L*)β‹…βˆ‘kβˆˆβ„€eβˆ’Ο€β’(k+aβ€–vβ€–)2⁒d⁒a1norm𝑣superscriptsubscript01β‹…norm𝑣𝑑superscript𝐿subscriptπ‘˜β„€superscriptπ‘’πœ‹superscriptπ‘˜π‘Žnorm𝑣2π‘‘π‘Ž\displaystyle\frac{1}{\|v\|}\int_{0}^{1}\|v\|d(L^{*})\cdot\sum_{k\in{\mathbb{Z}}}e^{-\pi(\frac{k+a}{\|v\|})^{2}}dadivide start_ARG 1 end_ARG start_ARG βˆ₯ italic_v βˆ₯ end_ARG ∫ start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT 1 end_POSTSUPERSCRIPT βˆ₯ italic_v βˆ₯ italic_d ( italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT ) β‹… βˆ‘ start_POSTSUBSCRIPT italic_k ∈ blackboard_Z end_POSTSUBSCRIPT italic_e start_POSTSUPERSCRIPT - italic_Ο€ ( divide start_ARG italic_k + italic_a end_ARG start_ARG βˆ₯ italic_v βˆ₯ end_ARG ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT italic_d italic_a
    =\displaystyle== d⁒(L*)⁒∫01βˆ‘kβˆˆβ„€eβˆ’Ο€β’(k+aβ€–vβ€–)2⁒d⁒a=d⁒(L*)β’βˆ«βˆ’βˆžβˆžeβˆ’Ο€β’(aβ€–vβ€–)2⁒𝑑a=β€–v‖⁒d⁒(L*).𝑑superscript𝐿superscriptsubscript01subscriptπ‘˜β„€superscriptπ‘’πœ‹superscriptπ‘˜π‘Žnorm𝑣2π‘‘π‘Žπ‘‘superscript𝐿superscriptsubscriptsuperscriptπ‘’πœ‹superscriptπ‘Žnorm𝑣2differential-dπ‘Žnorm𝑣𝑑superscript𝐿\displaystyle d(L^{*})\int_{0}^{1}\sum_{k\in{\mathbb{Z}}}e^{-\pi(\frac{k+a}{\|v\|})^{2}}da=d(L^{*})\int_{-\infty}^{\infty}e^{-\pi(\frac{a}{\|v\|})^{2}}da=\|v\|d(L^{*}).italic_d ( italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT ) ∫ start_POSTSUBSCRIPT 0 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT 1 end_POSTSUPERSCRIPT βˆ‘ start_POSTSUBSCRIPT italic_k ∈ blackboard_Z end_POSTSUBSCRIPT italic_e start_POSTSUPERSCRIPT - italic_Ο€ ( divide start_ARG italic_k + italic_a end_ARG start_ARG βˆ₯ italic_v βˆ₯ end_ARG ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT italic_d italic_a = italic_d ( italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT ) ∫ start_POSTSUBSCRIPT - ∞ end_POSTSUBSCRIPT start_POSTSUPERSCRIPT ∞ end_POSTSUPERSCRIPT italic_e start_POSTSUPERSCRIPT - italic_Ο€ ( divide start_ARG italic_a end_ARG start_ARG βˆ₯ italic_v βˆ₯ end_ARG ) start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT end_POSTSUPERSCRIPT italic_d italic_a = βˆ₯ italic_v βˆ₯ italic_d ( italic_L start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT ) .

    Β 

Claim A.6

Let X1,…,Xm,Y1,…,Ymsubscript𝑋1normal-…subscriptπ‘‹π‘šsubscriptπ‘Œ1normal-…subscriptπ‘Œπ‘šX_{1},\ldots,X_{m},Y_{1},\ldots,Y_{m}italic_X start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_X start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT , italic_Y start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_Y start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT be mutually independent random variables. Then the statistical distance between the joint distributions satisfies

Δ⁒((X1,…,Xm),(Y1,…,Ym))β‰€βˆ‘i=1mΔ⁒(Xi,Yi).Ξ”subscript𝑋1…subscriptπ‘‹π‘šsubscriptπ‘Œ1…subscriptπ‘Œπ‘šsuperscriptsubscript𝑖1π‘šΞ”subscript𝑋𝑖subscriptπ‘Œπ‘–\Delta((X_{1},\ldots,X_{m}),(Y_{1},\ldots,Y_{m}))\leq\sum_{i=1}^{m}\Delta(X_{i},Y_{i}).roman_Ξ” ( ( italic_X start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_X start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT ) , ( italic_Y start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_Y start_POSTSUBSCRIPT italic_m end_POSTSUBSCRIPT ) ) ≀ βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_m end_POSTSUPERSCRIPT roman_Ξ” ( italic_X start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , italic_Y start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT ) .
  • Proof:

    We consider the case m=2π‘š2m=2italic_m = 2. The claim follows for m>2π‘š2m>2italic_m > 2 by induction. According to the triangle inequality,

    Δ⁒((X1,X2),(Y1,Y2))≀Δ⁒((X1,X2),(X1,Y2))+Δ⁒((X1,Y2),(Y1,Y2)).Ξ”subscript𝑋1subscript𝑋2subscriptπ‘Œ1subscriptπ‘Œ2Ξ”subscript𝑋1subscript𝑋2subscript𝑋1subscriptπ‘Œ2Ξ”subscript𝑋1subscriptπ‘Œ2subscriptπ‘Œ1subscriptπ‘Œ2\Delta((X_{1},X_{2}),(Y_{1},Y_{2}))\leq\Delta((X_{1},X_{2}),(X_{1},Y_{2}))+\Delta((X_{1},Y_{2}),(Y_{1},Y_{2})).roman_Ξ” ( ( italic_X start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , italic_X start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT ) , ( italic_Y start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , italic_Y start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT ) ) ≀ roman_Ξ” ( ( italic_X start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , italic_X start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT ) , ( italic_X start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , italic_Y start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT ) ) + roman_Ξ” ( ( italic_X start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , italic_Y start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT ) , ( italic_Y start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , italic_Y start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT ) ) .

    Since X1subscript𝑋1X_{1}italic_X start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT is independent of X2subscript𝑋2X_{2}italic_X start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT and Y2subscriptπ‘Œ2Y_{2}italic_Y start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT,

    Δ⁒((X1,X2),(X1,Y2))=Δ⁒(X2,Y2)Ξ”subscript𝑋1subscript𝑋2subscript𝑋1subscriptπ‘Œ2Ξ”subscript𝑋2subscriptπ‘Œ2\Delta((X_{1},X_{2}),(X_{1},Y_{2}))=\Delta(X_{2},Y_{2})roman_Ξ” ( ( italic_X start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , italic_X start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT ) , ( italic_X start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , italic_Y start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT ) ) = roman_Ξ” ( italic_X start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT , italic_Y start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT )

    and similarly

    Δ⁒((X1,Y2),(Y1,Y2))=Δ⁒(X1,Y1).Ξ”subscript𝑋1subscriptπ‘Œ2subscriptπ‘Œ1subscriptπ‘Œ2Ξ”subscript𝑋1subscriptπ‘Œ1\Delta((X_{1},Y_{2}),(Y_{1},Y_{2}))=\Delta(X_{1},Y_{1}).roman_Ξ” ( ( italic_X start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , italic_Y start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT ) , ( italic_Y start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , italic_Y start_POSTSUBSCRIPT 2 end_POSTSUBSCRIPT ) ) = roman_Ξ” ( italic_X start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , italic_Y start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT ) .

    Β 

Properties of an LLL reduced basis

Claim A.7

Let B=(bi,j)1≀i,j≀n𝐡subscriptsubscript𝑏𝑖𝑗formulae-sequence1𝑖𝑗𝑛B=(b_{i,j})_{1\leq i,j\leq n}italic_B = ( italic_b start_POSTSUBSCRIPT italic_i , italic_j end_POSTSUBSCRIPT ) start_POSTSUBSCRIPT 1 ≀ italic_i , italic_j ≀ italic_n end_POSTSUBSCRIPT be an nΓ—n𝑛𝑛n\times nitalic_n Γ— italic_n upper triangular matrix such that for all i<j≀n𝑖𝑗𝑛i<j\leq nitalic_i < italic_j ≀ italic_n, |bi,j|≀|bi,i|subscript𝑏𝑖𝑗subscript𝑏𝑖𝑖|b_{i,j}|\leq|b_{i,i}|| italic_b start_POSTSUBSCRIPT italic_i , italic_j end_POSTSUBSCRIPT | ≀ | italic_b start_POSTSUBSCRIPT italic_i , italic_i end_POSTSUBSCRIPT |. Then, the entries of (BT)βˆ’1superscriptsuperscript𝐡𝑇1(B^{T})^{-1}( italic_B start_POSTSUPERSCRIPT italic_T end_POSTSUPERSCRIPT ) start_POSTSUPERSCRIPT - 1 end_POSTSUPERSCRIPT have an absolute value of at most 1mini⁑|bi,i|⁒2n1subscript𝑖subscript𝑏𝑖𝑖superscript2𝑛\frac{1}{\min_{i}|b_{i,i}|}2^{n}divide start_ARG 1 end_ARG start_ARG roman_min start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT | italic_b start_POSTSUBSCRIPT italic_i , italic_i end_POSTSUBSCRIPT | end_ARG 2 start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT.

  • Proof:

    First, let D𝐷Ditalic_D denote the diagonal matrix with values bi,isubscript𝑏𝑖𝑖b_{i,i}italic_b start_POSTSUBSCRIPT italic_i , italic_i end_POSTSUBSCRIPT on the diagonal. Then B𝐡Bitalic_B can be written as M⁒D𝑀𝐷MDitalic_M italic_D where M𝑀Mitalic_M is an upper triangular matrix with ones on the diagonal and all other entries have an absolute value of at most 1111. Then, (BT)βˆ’1=(DT⁒MT)βˆ’1=(MT)βˆ’1⁒Dβˆ’1superscriptsuperscript𝐡𝑇1superscriptsuperscript𝐷𝑇superscript𝑀𝑇1superscriptsuperscript𝑀𝑇1superscript𝐷1(B^{T})^{-1}=(D^{T}M^{T})^{-1}=(M^{T})^{-1}D^{-1}( italic_B start_POSTSUPERSCRIPT italic_T end_POSTSUPERSCRIPT ) start_POSTSUPERSCRIPT - 1 end_POSTSUPERSCRIPT = ( italic_D start_POSTSUPERSCRIPT italic_T end_POSTSUPERSCRIPT italic_M start_POSTSUPERSCRIPT italic_T end_POSTSUPERSCRIPT ) start_POSTSUPERSCRIPT - 1 end_POSTSUPERSCRIPT = ( italic_M start_POSTSUPERSCRIPT italic_T end_POSTSUPERSCRIPT ) start_POSTSUPERSCRIPT - 1 end_POSTSUPERSCRIPT italic_D start_POSTSUPERSCRIPT - 1 end_POSTSUPERSCRIPT. Therefore, it is enough to show that the entries of L:=(MT)βˆ’1assign𝐿superscriptsuperscript𝑀𝑇1L:=(M^{T})^{-1}italic_L := ( italic_M start_POSTSUPERSCRIPT italic_T end_POSTSUPERSCRIPT ) start_POSTSUPERSCRIPT - 1 end_POSTSUPERSCRIPT have absolute values of at most 1111. The diagonal of L𝐿Litalic_L is all ones and it is lower triangular. The entry li,jsubscript𝑙𝑖𝑗l_{i,j}italic_l start_POSTSUBSCRIPT italic_i , italic_j end_POSTSUBSCRIPT for i>j𝑖𝑗i>jitalic_i > italic_j can be recursively defined by βˆ’βˆ‘j≀k<ilk,j⁒mk,isubscriptπ‘—π‘˜π‘–subscriptπ‘™π‘˜π‘—subscriptπ‘šπ‘˜π‘–-\sum_{j\leq k<i}l_{k,j}m_{k,i}- βˆ‘ start_POSTSUBSCRIPT italic_j ≀ italic_k < italic_i end_POSTSUBSCRIPT italic_l start_POSTSUBSCRIPT italic_k , italic_j end_POSTSUBSCRIPT italic_m start_POSTSUBSCRIPT italic_k , italic_i end_POSTSUBSCRIPT. Therefore,

    |li,j|=|βˆ‘j≀k<ilk,j⁒mk,i|β‰€βˆ‘j≀k<i|lk,j⁒mk,i|β‰€βˆ‘j≀k<i|lk,j|subscript𝑙𝑖𝑗subscriptπ‘—π‘˜π‘–subscriptπ‘™π‘˜π‘—subscriptπ‘šπ‘˜π‘–subscriptπ‘—π‘˜π‘–subscriptπ‘™π‘˜π‘—subscriptπ‘šπ‘˜π‘–subscriptπ‘—π‘˜π‘–subscriptπ‘™π‘˜π‘—|l_{i,j}|={\left|{\sum_{j\leq k<i}l_{k,j}m_{k,i}}\right|}\leq\sum_{j\leq k<i}{\left|{l_{k,j}m_{k,i}}\right|}\leq\sum_{j\leq k<i}{\left|{l_{k,j}}\right|}| italic_l start_POSTSUBSCRIPT italic_i , italic_j end_POSTSUBSCRIPT | = | βˆ‘ start_POSTSUBSCRIPT italic_j ≀ italic_k < italic_i end_POSTSUBSCRIPT italic_l start_POSTSUBSCRIPT italic_k , italic_j end_POSTSUBSCRIPT italic_m start_POSTSUBSCRIPT italic_k , italic_i end_POSTSUBSCRIPT | ≀ βˆ‘ start_POSTSUBSCRIPT italic_j ≀ italic_k < italic_i end_POSTSUBSCRIPT | italic_l start_POSTSUBSCRIPT italic_k , italic_j end_POSTSUBSCRIPT italic_m start_POSTSUBSCRIPT italic_k , italic_i end_POSTSUBSCRIPT | ≀ βˆ‘ start_POSTSUBSCRIPT italic_j ≀ italic_k < italic_i end_POSTSUBSCRIPT | italic_l start_POSTSUBSCRIPT italic_k , italic_j end_POSTSUBSCRIPT |

    from which we get the bound |li,j|≀2iβˆ’jsubscript𝑙𝑖𝑗superscript2𝑖𝑗|l_{i,j}|\leq 2^{i-j}| italic_l start_POSTSUBSCRIPT italic_i , italic_j end_POSTSUBSCRIPT | ≀ 2 start_POSTSUPERSCRIPT italic_i - italic_j end_POSTSUPERSCRIPT for iβ‰₯j𝑖𝑗i\geq jitalic_i β‰₯ italic_j. Β 

Claim A.8

Let (v1,…,vn)subscript𝑣1normal-…subscript𝑣𝑛(v_{1},\ldots,v_{n})( italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT ) be an L⁒L⁒L𝐿𝐿𝐿LLLitalic_L italic_L italic_L-reduced basis of a lattice L𝐿Litalic_L and let βˆ‘i=1nai⁒visuperscriptsubscript𝑖1𝑛subscriptπ‘Žπ‘–subscript𝑣𝑖\sum_{i=1}^{n}a_{i}v_{i}βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT be its shortest vector. Then |ai|≀22⁒nsubscriptπ‘Žπ‘–superscript22𝑛|a_{i}|\leq 2^{2n}| italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT | ≀ 2 start_POSTSUPERSCRIPT 2 italic_n end_POSTSUPERSCRIPT for all i∈[n]𝑖delimited-[]𝑛i\in[n]italic_i ∈ [ italic_n ] and λ⁒(L)≀‖v1‖≀2n⁒λ⁒(L)πœ†πΏnormsubscript𝑣1superscript2π‘›πœ†πΏ\lambda(L)\leq\|v_{1}\|\leq 2^{n}\lambda(L)italic_Ξ» ( italic_L ) ≀ βˆ₯ italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT βˆ₯ ≀ 2 start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT italic_Ξ» ( italic_L ). Moreover, if (v1*,…,vn*)subscriptsuperscript𝑣1normal-…subscriptsuperscript𝑣𝑛(v^{*}_{1},\ldots,v^{*}_{n})( italic_v start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_v start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT ) is the dual basis, then β€–vi*‖≀nλ⁒(L)⁒22⁒nnormsubscriptsuperscriptπ‘£π‘–π‘›πœ†πΏsuperscript22𝑛{\|v^{*}_{i}\|}\leq\frac{\sqrt{n}}{\lambda(L)}2^{2n}βˆ₯ italic_v start_POSTSUPERSCRIPT * end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT βˆ₯ ≀ divide start_ARG square-root start_ARG italic_n end_ARG end_ARG start_ARG italic_Ξ» ( italic_L ) end_ARG 2 start_POSTSUPERSCRIPT 2 italic_n end_POSTSUPERSCRIPT for all i∈[n]𝑖delimited-[]𝑛i\in[n]italic_i ∈ [ italic_n ].

  • Proof:

    Let (v1†,…,vn†)superscriptsubscript𝑣1†…superscriptsubscript𝑣𝑛†(v_{1}^{\dagger},\ldots,v_{n}^{\dagger})( italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT ) denote the Gram-Schmidt orthogonalization of (v1,…,vn)subscript𝑣1…subscript𝑣𝑛(v_{1},\ldots,v_{n})( italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT ), i.e., vi†superscriptsubscript𝑣𝑖†v_{i}^{\dagger}italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT is the component of visubscript𝑣𝑖v_{i}italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT orthogonal to the subspace spanned by v1,…,viβˆ’1subscript𝑣1…subscript𝑣𝑖1v_{1},\ldots,v_{i-1}italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_i - 1 end_POSTSUBSCRIPT. Clearly, ⟨vi†,vj⟩=0subscriptsuperscript𝑣†𝑖subscript𝑣𝑗0{\langle{v^{\dagger}_{i},v_{j}}\rangle}=0⟨ italic_v start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT , italic_v start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT ⟩ = 0 for i>j𝑖𝑗i>jitalic_i > italic_j. Recall that in an LLL reduced basis β€–vi†‖≀2⁒‖vi+1†‖normsuperscriptsubscript𝑣𝑖†2normsuperscriptsubscript𝑣𝑖1†{\|v_{i}^{\dagger}\|}\leq\sqrt{2}{\|v_{i+1}^{\dagger}\|}βˆ₯ italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT βˆ₯ ≀ square-root start_ARG 2 end_ARG βˆ₯ italic_v start_POSTSUBSCRIPT italic_i + 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT βˆ₯ and for i<j𝑖𝑗i<jitalic_i < italic_j, |⟨vi†,vj⟩|≀12⁒‖vi†‖2superscriptsubscript𝑣𝑖†subscript𝑣𝑗12superscriptnormsuperscriptsubscript𝑣𝑖†2{\left|{{\langle{v_{i}^{\dagger},v_{j}}\rangle}}\right|}\leq\frac{1}{2}{\|v_{i}^{\dagger}\|}^{2}| ⟨ italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT , italic_v start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT ⟩ | ≀ divide start_ARG 1 end_ARG start_ARG 2 end_ARG βˆ₯ italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT βˆ₯ start_POSTSUPERSCRIPT 2 end_POSTSUPERSCRIPT. In addition, recall that mini⁑‖vi†‖subscript𝑖normsuperscriptsubscript𝑣𝑖†\min_{i}{\|v_{i}^{\dagger}\|}roman_min start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT βˆ₯ italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT βˆ₯ is a lower bound on λ⁒(L)πœ†πΏ\lambda(L)italic_Ξ» ( italic_L ). Then for any i∈[n]𝑖delimited-[]𝑛i\in[n]italic_i ∈ [ italic_n ], β€–v1†‖≀2(iβˆ’1)/2⁒‖vi†‖normsuperscriptsubscript𝑣1†superscript2𝑖12normsuperscriptsubscript𝑣𝑖†{\|v_{1}^{\dagger}\|}\leq 2^{(i-1)/2}{\|v_{i}^{\dagger}\|}βˆ₯ italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT βˆ₯ ≀ 2 start_POSTSUPERSCRIPT ( italic_i - 1 ) / 2 end_POSTSUPERSCRIPT βˆ₯ italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT βˆ₯ and therefore β€–v1†‖≀2(nβˆ’1)/2⁒λ⁒(L)normsuperscriptsubscript𝑣1†superscript2𝑛12πœ†πΏ{\|v_{1}^{\dagger}\|}\leq 2^{(n-1)/2}\lambda(L)βˆ₯ italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT βˆ₯ ≀ 2 start_POSTSUPERSCRIPT ( italic_n - 1 ) / 2 end_POSTSUPERSCRIPT italic_Ξ» ( italic_L ). But since v1†=v1superscriptsubscript𝑣1†subscript𝑣1v_{1}^{\dagger}=v_{1}italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT = italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT we see that λ⁒(L)≀‖v1‖≀2n⁒λ⁒(L)πœ†πΏnormsubscript𝑣1superscript2π‘›πœ†πΏ\lambda(L)\leq{\|v_{1}\|}\leq 2^{n}\lambda(L)italic_Ξ» ( italic_L ) ≀ βˆ₯ italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT βˆ₯ ≀ 2 start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT italic_Ξ» ( italic_L ). Consider the representation of (v1,…,vn)subscript𝑣1…subscript𝑣𝑛(v_{1},\ldots,v_{n})( italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT , … , italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT ) in the orthonormal basis (v1†/β€–v1†‖,…,vn†/β€–vn†‖)superscriptsubscript𝑣1†normsuperscriptsubscript𝑣1†…superscriptsubscript𝑣𝑛†normsuperscriptsubscript𝑣𝑛†(v_{1}^{\dagger}/{\|v_{1}^{\dagger}\|},\ldots,v_{n}^{\dagger}/{\|v_{n}^{\dagger}\|})( italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT / βˆ₯ italic_v start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT βˆ₯ , … , italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT / βˆ₯ italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT βˆ₯ ). It is given by the columns of the matrix B=(bi,j)1≀i,j≀n𝐡subscriptsubscript𝑏𝑖𝑗formulae-sequence1𝑖𝑗𝑛B=(b_{i,j})_{1\leq i,j\leq n}italic_B = ( italic_b start_POSTSUBSCRIPT italic_i , italic_j end_POSTSUBSCRIPT ) start_POSTSUBSCRIPT 1 ≀ italic_i , italic_j ≀ italic_n end_POSTSUBSCRIPT where bi,j=⟨vj,viβ€ βŸ©/β€–vi†‖subscript𝑏𝑖𝑗subscript𝑣𝑗superscriptsubscript𝑣𝑖†normsuperscriptsubscript𝑣𝑖†b_{i,j}={\langle{v_{j},v_{i}^{\dagger}}\rangle}/{\|v_{i}^{\dagger}\|}italic_b start_POSTSUBSCRIPT italic_i , italic_j end_POSTSUBSCRIPT = ⟨ italic_v start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT , italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT ⟩ / βˆ₯ italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT βˆ₯. Notice that this matrix is upper triangular and that its diagonal is bi,i=β€–vi†‖subscript𝑏𝑖𝑖normsuperscriptsubscript𝑣𝑖†b_{i,i}={\|v_{i}^{\dagger}\|}italic_b start_POSTSUBSCRIPT italic_i , italic_i end_POSTSUBSCRIPT = βˆ₯ italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT βˆ₯. Also note that by the properties of an LLL reduced basis, |bi,j|≀12⁒‖vi†‖subscript𝑏𝑖𝑗12normsuperscriptsubscript𝑣𝑖†|b_{i,j}|\leq\frac{1}{2}{\|v_{i}^{\dagger}\|}| italic_b start_POSTSUBSCRIPT italic_i , italic_j end_POSTSUBSCRIPT | ≀ divide start_ARG 1 end_ARG start_ARG 2 end_ARG βˆ₯ italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT βˆ₯ for i<j𝑖𝑗i<jitalic_i < italic_j. The shortest vector is βˆ‘i=1nai⁒vi=βˆ‘i=1n(βˆ‘j=inaj⁒bi,j)⁒vi†/β€–vi†‖superscriptsubscript𝑖1𝑛subscriptπ‘Žπ‘–subscript𝑣𝑖superscriptsubscript𝑖1𝑛superscriptsubscript𝑗𝑖𝑛subscriptπ‘Žπ‘—subscript𝑏𝑖𝑗superscriptsubscript𝑣𝑖†normsuperscriptsubscript𝑣𝑖†\sum_{i=1}^{n}a_{i}v_{i}=\sum_{i=1}^{n}(\sum_{j=i}^{n}a_{j}b_{i,j})v_{i}^{\dagger}/{\|v_{i}^{\dagger}\|}βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT italic_a start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT = βˆ‘ start_POSTSUBSCRIPT italic_i = 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT ( βˆ‘ start_POSTSUBSCRIPT italic_j = italic_i end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT italic_a start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT italic_b start_POSTSUBSCRIPT italic_i , italic_j end_POSTSUBSCRIPT ) italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT / βˆ₯ italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT βˆ₯. Since its length is at most 2n⁒‖vi†‖superscript2𝑛normsuperscriptsubscript𝑣𝑖†2^{n}{\|v_{i}^{\dagger}\|}2 start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT βˆ₯ italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT βˆ₯ the absolute value of each of its coordinates is at most 2n⁒‖vi†‖superscript2𝑛normsuperscriptsubscript𝑣𝑖†2^{n}{\|v_{i}^{\dagger}\|}2 start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT βˆ₯ italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT βˆ₯. Hence, |βˆ‘j=inaj⁒bi,j|≀2n⁒‖vi†‖superscriptsubscript𝑗𝑖𝑛subscriptπ‘Žπ‘—subscript𝑏𝑖𝑗superscript2𝑛normsuperscriptsubscript𝑣𝑖†{\left|{\sum_{j=i}^{n}a_{j}b_{i,j}}\right|}\leq 2^{n}{\|v_{i}^{\dagger}\|}| βˆ‘ start_POSTSUBSCRIPT italic_j = italic_i end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT italic_a start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT italic_b start_POSTSUBSCRIPT italic_i , italic_j end_POSTSUBSCRIPT | ≀ 2 start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT βˆ₯ italic_v start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT βˆ₯ for every i∈[n]𝑖delimited-[]𝑛i\in[n]italic_i ∈ [ italic_n ]. By taking i=n𝑖𝑛i=nitalic_i = italic_n we get that |an⁒bn,n|≀2n⁒‖vn†‖subscriptπ‘Žπ‘›subscript𝑏𝑛𝑛superscript2𝑛normsuperscriptsubscript𝑣𝑛†|a_{n}b_{n,n}|\leq 2^{n}{\|v_{n}^{\dagger}\|}| italic_a start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT italic_b start_POSTSUBSCRIPT italic_n , italic_n end_POSTSUBSCRIPT | ≀ 2 start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT βˆ₯ italic_v start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT βˆ₯ and hence |an|subscriptπ‘Žπ‘›|a_{n}|| italic_a start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT | is at most 2nsuperscript2𝑛2^{n}2 start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT. We continue inductively and show that |ak|≀22⁒nβˆ’ksubscriptπ‘Žπ‘˜superscript22π‘›π‘˜|a_{k}|\leq 2^{2n-k}| italic_a start_POSTSUBSCRIPT italic_k end_POSTSUBSCRIPT | ≀ 2 start_POSTSUPERSCRIPT 2 italic_n - italic_k end_POSTSUPERSCRIPT. Assume that the claim holds for ak+1,…,ansubscriptπ‘Žπ‘˜1…subscriptπ‘Žπ‘›a_{k+1},\ldots,a_{n}italic_a start_POSTSUBSCRIPT italic_k + 1 end_POSTSUBSCRIPT , … , italic_a start_POSTSUBSCRIPT italic_n end_POSTSUBSCRIPT. Then, |βˆ‘j=k+1naj⁒bk,j|≀12⁒|βˆ‘j=k+1naj|⁒‖vk†‖≀12⁒(βˆ‘j=k+1n22⁒nβˆ’j)⁒‖vk†‖≀12β‹…22⁒nβˆ’k⁒‖vk†‖superscriptsubscriptπ‘—π‘˜1𝑛subscriptπ‘Žπ‘—subscriptπ‘π‘˜π‘—12superscriptsubscriptπ‘—π‘˜1𝑛subscriptπ‘Žπ‘—normsuperscriptsubscriptπ‘£π‘˜β€ 12superscriptsubscriptπ‘—π‘˜1𝑛superscript22𝑛𝑗normsuperscriptsubscriptπ‘£π‘˜β€ β‹…12superscript22π‘›π‘˜normsuperscriptsubscriptπ‘£π‘˜β€ |\sum_{j=k+1}^{n}a_{j}b_{k,j}|\leq\frac{1}{2}|\sum_{j=k+1}^{n}a_{j}|\|v_{k}^{\dagger}\|\leq\frac{1}{2}(\sum_{j=k+1}^{n}2^{2n-j})\|v_{k}^{\dagger}\|\leq\frac{1}{2}\cdot 2^{2n-k}\|v_{k}^{\dagger}\|| βˆ‘ start_POSTSUBSCRIPT italic_j = italic_k + 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT italic_a start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT italic_b start_POSTSUBSCRIPT italic_k , italic_j end_POSTSUBSCRIPT | ≀ divide start_ARG 1 end_ARG start_ARG 2 end_ARG | βˆ‘ start_POSTSUBSCRIPT italic_j = italic_k + 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT italic_a start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT | βˆ₯ italic_v start_POSTSUBSCRIPT italic_k end_POSTSUBSCRIPT start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT βˆ₯ ≀ divide start_ARG 1 end_ARG start_ARG 2 end_ARG ( βˆ‘ start_POSTSUBSCRIPT italic_j = italic_k + 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT 2 start_POSTSUPERSCRIPT 2 italic_n - italic_j end_POSTSUPERSCRIPT ) βˆ₯ italic_v start_POSTSUBSCRIPT italic_k end_POSTSUBSCRIPT start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT βˆ₯ ≀ divide start_ARG 1 end_ARG start_ARG 2 end_ARG β‹… 2 start_POSTSUPERSCRIPT 2 italic_n - italic_k end_POSTSUPERSCRIPT βˆ₯ italic_v start_POSTSUBSCRIPT italic_k end_POSTSUBSCRIPT start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT βˆ₯. By the triangle inequality, |ak⁒bk,k|≀|βˆ‘j=k+1naj⁒bk,j|+|βˆ‘j=knaj⁒bk,j|≀(12⁒22⁒nβˆ’k+2n)⁒‖vk†‖≀22⁒nβˆ’k⁒‖vk†‖subscriptπ‘Žπ‘˜subscriptπ‘π‘˜π‘˜superscriptsubscriptπ‘—π‘˜1𝑛subscriptπ‘Žπ‘—subscriptπ‘π‘˜π‘—superscriptsubscriptπ‘—π‘˜π‘›subscriptπ‘Žπ‘—subscriptπ‘π‘˜π‘—12superscript22π‘›π‘˜superscript2𝑛normsuperscriptsubscriptπ‘£π‘˜β€ superscript22π‘›π‘˜normsuperscriptsubscriptπ‘£π‘˜β€ |a_{k}b_{k,k}|\leq|\sum_{j=k+1}^{n}a_{j}b_{k,j}|+|\sum_{j=k}^{n}a_{j}b_{k,j}|\leq(\frac{1}{2}2^{2n-k}+2^{n})\|v_{k}^{\dagger}\|\leq 2^{2n-k}\|v_{k}^{\dagger}\|| italic_a start_POSTSUBSCRIPT italic_k end_POSTSUBSCRIPT italic_b start_POSTSUBSCRIPT italic_k , italic_k end_POSTSUBSCRIPT | ≀ | βˆ‘ start_POSTSUBSCRIPT italic_j = italic_k + 1 end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT italic_a start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT italic_b start_POSTSUBSCRIPT italic_k , italic_j end_POSTSUBSCRIPT | + | βˆ‘ start_POSTSUBSCRIPT italic_j = italic_k end_POSTSUBSCRIPT start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT italic_a start_POSTSUBSCRIPT italic_j end_POSTSUBSCRIPT italic_b start_POSTSUBSCRIPT italic_k , italic_j end_POSTSUBSCRIPT | ≀ ( divide start_ARG 1 end_ARG start_ARG 2 end_ARG 2 start_POSTSUPERSCRIPT 2 italic_n - italic_k end_POSTSUPERSCRIPT + 2 start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT ) βˆ₯ italic_v start_POSTSUBSCRIPT italic_k end_POSTSUBSCRIPT start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT βˆ₯ ≀ 2 start_POSTSUPERSCRIPT 2 italic_n - italic_k end_POSTSUPERSCRIPT βˆ₯ italic_v start_POSTSUBSCRIPT italic_k end_POSTSUBSCRIPT start_POSTSUPERSCRIPT † end_POSTSUPERSCRIPT βˆ₯ and the proof of the first part is completed.

    The basis of the dual lattice is given by the columns of (BT)βˆ’1superscriptsuperscript𝐡𝑇1(B^{T})^{-1}( italic_B start_POSTSUPERSCRIPT italic_T end_POSTSUPERSCRIPT ) start_POSTSUPERSCRIPT - 1 end_POSTSUPERSCRIPT. Since mini⁑|bi,i|β‰₯λ⁒(L)2nsubscript𝑖subscriptπ‘π‘–π‘–πœ†πΏsuperscript2𝑛\min_{i}|b_{i,i}|\geq\frac{\lambda(L)}{2^{n}}roman_min start_POSTSUBSCRIPT italic_i end_POSTSUBSCRIPT | italic_b start_POSTSUBSCRIPT italic_i , italic_i end_POSTSUBSCRIPT | β‰₯ divide start_ARG italic_Ξ» ( italic_L ) end_ARG start_ARG 2 start_POSTSUPERSCRIPT italic_n end_POSTSUPERSCRIPT end_ARG and |bi,j|≀12⁒|bi,i|subscript𝑏𝑖𝑗12subscript𝑏𝑖𝑖|b_{i,j}|\leq\frac{1}{2}|b_{i,i}|| italic_b start_POSTSUBSCRIPT italic_i , italic_j end_POSTSUBSCRIPT | ≀ divide start_ARG 1 end_ARG start_ARG 2 end_ARG | italic_b start_POSTSUBSCRIPT italic_i , italic_i end_POSTSUBSCRIPT |, ClaimΒ A.7 implies that the entries of (BT)βˆ’1superscriptsuperscript𝐡𝑇1(B^{T})^{-1}( italic_B start_POSTSUPERSCRIPT italic_T end_POSTSUPERSCRIPT ) start_POSTSUPERSCRIPT - 1 end_POSTSUPERSCRIPT are at most 1λ⁒(L)⁒22⁒n1πœ†πΏsuperscript22𝑛\frac{1}{\lambda(L)}2^{2n}divide start_ARG 1 end_ARG start_ARG italic_Ξ» ( italic_L ) end_ARG 2 start_POSTSUPERSCRIPT 2 italic_n end_POSTSUPERSCRIPT in absolute value. Therefore, the length of each column vector is at most nλ⁒(L)⁒22⁒nπ‘›πœ†πΏsuperscript22𝑛\frac{\sqrt{n}}{\lambda(L)}2^{2n}divide start_ARG square-root start_ARG italic_n end_ARG end_ARG start_ARG italic_Ξ» ( italic_L ) end_ARG 2 start_POSTSUPERSCRIPT 2 italic_n end_POSTSUPERSCRIPT. Β